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Preface 

Computer  networks  must  have  the  capability  to  protect 
the  information  they  contain,  especially  if  the 
information  is  sensitive  or  classified  for  national 
security  purposes.  This  research  effort  analyzes  the 
security  aspects  of  local  area  computer  networks  and 
presents  a  textual  definition  of  a  local  area  network 
(LAN)  security  uodel. 
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close  reviews  of  my  thesis  drafts  and  their  constructive 
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Abstract 

The  Department  of  Defense  needs  to  process  data  at 
various  levels  of  security  in  Local  Area  Networks  (LAM)  of 
computer  systems.  A  formal  computer  netvork  security  model 
is  a  necessary  first  step  in  certifying  a  computer  system 
to  process  classified  data.  Several  computer  security 
models  have  been  developed  to  identify  what  is  required  to 
enable  multilevel  certification  of  a  computer  system,  and 
a  similar  model  is  needed  for  LANs. 

The  primary  objective  of  this  research  project  is  to 
analyse  the  requirements  of  a  LAN  security  model. 
Conceptual  design  issues  of  LAN  security  modeling  are 
presented  in  this  thesis  to  identify  what  must  be  achieved 
to  ensure  security  is  not  violated  when  data  of  various 
levels  cf  security  are  processed  in  a  local  area  network. 

Due  to  their  distributed  nature,  LANs  involve  several 
security  issues  not  addressed  in  security  models  (such  as 
the  Bell-LaPadula  security  model)  developed  for  single 
computer  systems.  Therefore,  modeling  of  security  in  LANs 
and  computer  networks  must  be  complemented  with  LAN 
application  and  implementation  considerations,  primarily 
associated  vith  secure  communications  channels  between  LAN 


subscribers 


This  thesis  analysts  the  security  requirements  of  a 


local  area  computer  network,  highlighting  the  need  for  a 
^-*security  architecture*'  approach  to  modeling  security  in 
LANs.  A  textual  definition  of  a  prototype  LAM  security 
model  is  presented,  and  the  model's  application  to 
hypothetical  LAM  configurations  is  discusaed. 
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Computer  technology  hat  advanced  rapidly  within  the 
peat  decade,  resulting  in  the  trend  away  from  a  tingle 
"batch  processing"  computer  environment  and  towards  highly 
interactive,  real-time,  user-friendly  computer  systems. 
Similarly,  time-sharing  of  computer  resources  has  bean 
expanded  to  the  development  of  networks  of  computer 
systems.  Although  the  interconnection  of  many  computer 
systems  to  comprise  a  computer  network  offers  numercus 
advantages  and  user  flexibility,  the  problem  of  data 
security  may  be  aggravated.  Protection  of  data, 
particularly  classified  data,  within  a  computar  system  or 
computer  network  is  a  primary  concern  within  the 
Department  of  Defense. 

Therefore,  the  primary  objective  of  this  research 
project  is  to  identify  and  analyse  the  conceptual  design 
requirements  of  ensuring  the  security  of  classified  data 
in  a  local  area  network  (LAN)  of  computers. 

In  recent  research  and  development  efforts  to  design 
and  build  secure  computer  systems,  computer  security 
models  have  first  been  developed  no  provide  a  concise  and 
precise  description  of  the  behavior  desired  of  the 
security-relevant  portions  of  the  computer  system.  The 
certification  (accredidstion)  of  a  computer  system  to 
process  classified  data  at  various  security  levels  depends 
on  the  provability  of  the  security  enforcement  mechanisms 
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within  the  computer  system.  Formal  security  models,  such 
es  the  Bell  end  LePedule  model  (described  in  Chapter  3), 
have  provided  the  security  enforcement  criteria  which  must 
be  implemented  in  a  computer  system  design*  Certification 
o,C.  local  area  computer  networks  to  process  classified 
information  of  various  security  levels  is  a  topic  of 
current  interest  and  research  within  the  Department  of 
Defense  ( LAND81  LAND82  ,  SIDH82,  W0RM82) . 

A  formal  computer  security  model  is  a  necessary  first 
step  in  designing  and  certifying  a  computer  system  to 
process  classified  data.  Several  computer  security  models 
have  been  developed  to  identify  what  is  required  to  enable 
multilevel  certification  of  a  computer  system  (LAND81).  A 
similar  model  is  needed  to  identify  what  must  be  achieved 
to  ensure  security  is  not  violated  when  data  of  various 


levels  of  security  are  processed  in  a  local  area  computer 
network . 

However,  unlike  modeling  security  in  single  computer 
systems,  modeling  security  in  LANs  may  take  into  account 
certain  implementation  considerations  which  may  be 
specific  to  a  particular  LAN  configuration.  Those 
implementation  considerations  arise  due  to  the  distributed 
nature  of  LANs,  which  may  be  comprised  of  many 
heterogenous  host  computer  systems  distributed 
geographically.  Therefore,  in  addition  to  ensuring 
security  within  each  host  computer,  a  "global"  perspective 

.—gw 

\V?  to  analyxe  the  data  security  requirements  within  the 
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entire  LAN  mutt  be  considered.  Due  to  the  many  different 
potentiel  LAN  configurations,  specifications,  and 
applications,  the  development  of  a  single  "LAN  security 
model"  may  prove  to  be  an  infeasible  solution.  Instead, 
the  coordinated  development  of  a  "security  architecture", 
which  integrates  both  security  policy  models  and  LAN 
implementation  consideration,  may  result  in  a  more  useful 
analysis  tool  of  the  overall  LAN  security  requirements. 
This  thesis  addresses  the  requirements  and  conceptual 
design  issues  of  such  a  LAN  security  architecture, 
including  a  textual  definition  of  a  prototype  LAN  security 
model . 


CftttPMLci .  Rstsailu. 

A  computer  network  is  comprised  of  individual 
computer  systems  with  the  capability  to  communicate  with 
each  other  via  some  type  of  communications  medium.  The 
individual  computers  may  be  large  mainframe  computer 
systems,  supercomputers,  minicomputers,  or  small 
microcomputer  systems  such  as  a  desktop  personal  computer. 

The  computers  linked  by  the  network  may  be 
geographically  remote  from  each  other,  separated  by 
thousands  of  miles,  and  may  use  a  communications  link  via 
a  satellite  orbiting  the  Earth.  Alternatively,  the 
individual  computer  systems  may  be  in  the  same  room, 
physically  linked  by  vires. 
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A  local  area  network  (LAn)  lies  between  these  two 
v  extremes,  and  is  generally  defined  to  cover  a  geographic 

area  of  no  more  than  several  square  miles.  Examples  of  LAN 
coverage  would  be  a  univt  ?.ty  campus,  a  single  office 
building,  or  a  portion  of  a  city.  Although  a  particular 
LAN  may  provide  service  to  a  specific  geographic  area,  the 
LAN  may  contain  one  or  more  "gateway"  nodes,  or  interfaces 
with  other  computer  networks  (either  LANs  or  long-haul 
networks).  An  example  of  this  would  be  a  LAN  with  a 
gateway  node  to  ARPANET  (the  Defense  Advanced  Research 
Projects  Agency  Network),  which  is  a  national  long-haul 
computer  network.  In  this  example,  the  LAN  subscribers 
would  also  have  access  to  the  ARPANET  computer  resources 
^  in  addition  to  the  LAN^s  local  computer  resources. 

Conventional  network  configuration  and  analysis 
considers  such  parameters  as  placement  of  network  nodes 
(network  topology) ,  information  flow  patterns  and  rates 
within  the  network,  and  average  response  time  to  the 
individual  network  user  (TANE81).  This  research  project 
extends  this  parameter  list  to  include  data  security 
considerations.  The  level  of  data  protection  and  security 
provided  within  a  network  may  impact  any  or  all  of  the 
above  parameters,  particularly  information  flow  patterns 
and  overall  network  throughput  and  response  time. 

There  are  a  number  of  current  network  architectures 
(both  long-haul  and  LAN),  including  ARPANET,  Ethernet  (a 
popular  LAN  which  is  included  in  IEEE  Standard  802  on 


LANs)  IBM's  Systems  Network  Architecture  (SNA),  and 
Digital  Equipment  Corporation's  Digital  Network 
Architecture,  as  well  as  architectures  for  specialized 
applications.  Although  many  distinct  network  implemen¬ 
tations  have  been  proposed  and  designed,  an  attempt  has 
been  made  to  try  to  standardize  the  interfacing  of  various 
network  components. 

Network  Protocol  Lavers 

The  International  Standards  Organization  (ISO)  has 
proposed  an  architecture  model  with  the  potential  for 
universal  networking  as  a  first  step  toward  network 
protocol  standardization  (TANE81).  This  model  is  called 
the  open  systems  interconnection  (OSI)  reference  model, 
and  is  shown  in  Figure  1. 


Each 

of  the 

seven  protocol 

layers  in  the 

OSI 

reference 

model 

represents  a 

different  level 

of 

abstraction  of  the  communication  between  computer  systems. 
The  physical  layer  is  concerned  with  transmitting  raw  bits 
over  a  communications  channel,  focussing  primarily  on  the 
design  issues  dealing  with  mechanical,  electrical,  and 
procedural  interfaces  to  the  subnet. 

The  data  link  layer  takes  the  raw  transmission 
facility  of  the  physical  layer  and  transforms  it  into  a 
line  that  appears  free  of  transmission  errors  to  the 
network  layer.  This  is  accomplished  by  arranging  the  input 
data  into  data  frames,  transmitting  the  frames 
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sequentially,  and  processing  the  acknowledgement  frames 
sent  back  by  the  receiver. 


7  I  Application 
Inter  fact  ^ 

6  Presentation 
Interface  i 


5  Session 


Application  protocol 


Presentation  protocol 


Session  protocol 


Name  of  unit 
exchanged 

Application  Message 


Presentation  Message 


Session  Message 


The  network  layer  (sometimes  called  the 
communications  subnet  layer)  controls  the  operation  of  the 
subnet.  This  layer  basically  accepts  messages  from  the 
source  host,  converts  them  into  packets  of  data,  and 
ensures  that  Che  packets  are  properly  addressed  to  the 
destination  computer. 

The  transport  layer  (also  known  as  the  host-to-host 

\ 

layer)  accepts  data  from  the  session  layer,  splits  it  up 
into  smaller  units  (if  necessary),  and  passes  these  to  the 
network  layer.  The  network  layer  also  ensures  that  the 
pieces  all  arrive  correctly  at  the  other  end. 

The  session  layer  provides  the  user'j  interface  to 
the  network.  This  layer  establishes  a  connection  to 
another  host  within  the  network.  A  connection  between 
users  is  usually  called  a  "session". 

The  presentation  layer  performs  functions  that  are 
requested  sufficiently  often  by  users  to  warrant  a 
"library"  of  routines  availible  to  the  user,  such  as  text 
compression  or  data  encryption  (which  will  be  discussed 
further  in  Chapter  4) . 

The  application  layer  is  the  top  level  of  the 
protocol  abstraction,  and  is  generally  concerned  with 
network  transparency,  or  hiding  the  physical  distribution 
of  resources  from  the  user. 

Computer  networks  are  designed  as  a  series  of 
protocol  layers,  with  each  layer  being  responsible  for 
some  aspect  of  the  network's  operation.  These  protocols 
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the  focal  points  for  interfacing  one  or  more 


computer  systems  within  a  computer  network. 


The  impetus  for  computer  networks  is  to  facilitate 


information  exchange  among  a  variety  of  users*  each  of 


whom  may  require  access  to  common  data  bases  and  other 


computer  resources  shared  within  the  network.  This 


advantage  of  allowing  each  network  user  access  to  any  of 


the  information  contained  in  the  network  introduces  the 


problem  of  protecting  sensitive  and  personal  information 


from  disclosure  to  unauthorized  users. 


With  the  advent  of  the  "Information  Age"*  the  ease  of 


illegally  and  covertly  accessing  private  (either  corporate 


or  government)  computer  systems  and  their  respective  data 


bases  has  received  much  media  attention  (C0MP83).  In 


particular*  the  need  to  protect  information  stored  by 


electronic  means  has  been  focused  upon.  The 


ever-increasing  reliance  upon  electronic  storage  of 


information  necessitates  the  incorporation  of  security  as 


a  primary  design  consideration,  especially  in  computer 


systems  and  networks  which  process  sensitive  or  personal 


information.  Although  there  are  numerous  and  various 


requirements  to  protect  sensitive  information,  this  thesis 


will  consider  primarily  the  area  of  military  security,  the 


structure  of  which  will  be  described  in  detail  in  Chapter 


two . 


t 


Information  security  is  a  problem  whether  we  are 
discussing  individual  host  computers,  long-haul  computer 
networks,  or  LANs.  The  distributed  nature  of  computer 
networks  complicates  the  problem  of  information  security. 
In  particular,  certain  attributes  of  LANs  exacerbate  the 
problem  of  guaranteeing  information  security.  One  such 
attribute  is  the  network  access  scheme,  dealing  with  the 
lower  protocol  layers  of  the  ISO  reference  model.  A 
network  access  scheme  at  the  lower  protocol  layers 
specifies  how  information  is  to  be  transmitted  between 
network  nodes.  One  popular  implementation  of  the  lower  two 
protocol  layers  is  called  "Carrier  Sense  Multiple  Access 
with  Collision  Detection"  (CSMA/CD) . 

CSMA/CD  is  a  random-access  scheme  in  which  a  network 
node  competes  with  other  nodes  for  use  of  the  network 
media  (multiple  access).  Before  a  node  can  transmit  a 
message,  it  must  first  listen  to  the  desired  channel  to 
make  sure  that  it  is  not  busy.  The  node  recognizes  a  busy 
channel  by  detecting  the  presence  of  a  carrier  frequency 
("carrier  sense").  If  busy,  the  node  cannot  transmit  until 
the  channel  is  clear.  Once  transmission  starts,  the  node 
must  monitor  the  channel  again  to  make  sure  that  no  other 


nodes  are  transmitting 

on 

the  channel  at 

the 

same  time 

(collision  detection). 

If 

messages  do 

collide,  the 

transmission  is  aborted 

and 

the  node  waits 

or 

backs  off 

for  a  random  period 

of 

time  before 

it 

attempts 

retransmis  s ion 
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CSMA/CD  is  an  example  of  e  "broadcast"  method  of 
communication ,  where  each  node  in  a  LAN  broadcasts  a 
message  to  all  other  nodes.  The  message  contains 
addressing  information  to  indicate  the  intended  recipient 
of  the  message,  but  all  nodes  attached  to  the  LAN  medium 
may  potentially  "eavesdrop”  on  a  message.  Unless  the 
contents  of  the  message  are  protected  somehow  (i.e.,  via 
data  encryption),  the  potential  for  an  unauchor ised 
listener  on  the  network  to  intercept  sensitive  data 
messages  may  be  great.  This  is  an  example  of  the 
exploitation  of  the  network  protocols  to  compromise  data 
security . 

c9BPVtgr ..Sgspr iUy  Mpfleis 

A  computer  system  or  netvork  which  ia  to  be  certified 
secure  or  accredited  to  process  classified  information 
must  meet  certain  security-related  criteria.  To  date,  the 
security  criteria  have  been  in  the  form  of  a  formal 
security  model  which  describes  the  access  to  information 
within  a  computer  system  and  the  flow  of  information 
within  a  computer  system  (LAND81).  Security  models  will  be 
discussed  in  detail  in  Chapters  3  and  4  of  this  thesis.  In 
Chapter  3,  the  applicability  of  past  computer  security 
models  to  LANs  will  be  discussed,  emphasizing  the  need  to 
integrate  security  policy  models  with  LAN  implementation 
considerations.  Chapter  5  presents  a  textual  definition  of 
a  prototype  LAN  security  model,  including  example 
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applications  of  the  nodal  to  particular  LAN 
conf igurations . 


The  original  specification  of  this 


ch  project 


stated  that  the  objective  would  be  to  develop  a  formal 
security  model  for  local  area  networks.  In  the  early 
stages  of  research,  it  became  obvious  that  the  development 
of  a  formal  mathematical  model  (such  as  the  Bell  and 
LaPadula  security  model  described  in  BELL73b  and  BELL74) 
for  LANs  was  well  beyond  the  scope  of  a  master's  thesis 
project.  Instead,  the  research  objective  focussed  on 
developing  a  more  informal,  pseudo-English,  textual 
security  model  for  LANs,  similar  to  the  informal  secuzity 
model  proposed  for  military  message  systems  (MMS)  in 
LAND82.  Due  to  the  distributed  nature  of  LANs  and  the 
variety  of  application-specific  implementation  consider¬ 
ations,  a  more  promising  approach  to  modeling  security  in 
LANs  appears  to  be  the  coordinated  development  of  a 
"security  architecture",  which  integrates  both  security 
policy  models  and  LAN  implementation  considerations. 

Therefore,  the  ultimate  objective  of  this  research 
project  is  to  identify  and  analyse  the  conceptual  design 
requirements  of  ensuring  the  security  of  classified  data 
in  a  local  area  computer  network.  This  thesis  will  analyze 
the  requirements  of  a  local  area  network  computer  security 
model  and  present  a  prototype  LAN  security  model, 
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highlighting  the  need  for  a  "security  architecture" 
approach  to  modeling  security  in  LANs.  This  thesis  will 
address  what  must  be  achieved  to  ensure  security  is  not 
violated  when  data  of  various  levels  of  security  are 
processed  in  a  local  area  network. 

Approach  and  Scone 

A  secure  computer  network  may  only  be  designed  and 
certified  to  process  classified  information  after  first 
defining  a  formal  model  of  the  security  policy  to  be 
enforced  by  the  network.  The  scope  of  this  thesis, 
therefore,  is  to  identify  and  explore  the 
security-specific  design  issues  associated  with  a  local 
area  network.  Conceptual  design  issues  for  a  LAN  computer 
security  architecture  (which  may  he  applied  to  existing 
computer  networks  or  used  aa  a  guideline  for  incorporating 
security  in  future  local  area  networks)  will  be  presented, 
emphasising  the  distinction  between  security  policy  and 
LAN  implementation  considerations. 

The  net  result  is  to  underscore  the  need  for  a 
security  architecture  which  is  tailored  to  a  particular 
LAN  application  (or  class  of  applications).  By  carefully 
integrating  security  policy  issues  with  LAN  implementation 
issues,  the  end  result  should  facilitate  the  verification 
of  a  particular  LAN's  security  enforcement  properties. 
Although  the  development  of  a  formal  mathematical  model 
specification  (as  in  BELL73b,  BELL74)  is  beyond  the  ccope 
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of  this  research  project,  a  textual  definition  of  a  LAN 
security  model  if  presented  and  discussed. 

fli&A&jjuLfci&a 

This  report  contains  six  main  chapters  followed  by  a 
Conclusions  and  Recommendations  chapter.  This  first 
chapter  provides  a  brief  introduction  to  security 
considerations  in  local  area  computer  networks  by 
discussing  computer  networks  and  information  security. 
Further,  this  first  chapter  defines  the  research  objective 
and  its  associated  scope  of  effort,  and  outlines  the 
organisation  of  this  thesis. 

Chapter  2  then  presents  several  important  security 
concepts,  including  a  discussion  of  military  security, 
potential  threats  to  security,  and  a  description  of  the 
four  basic  modes  of  computer  operation  the  Department  of 
Defense  uses  to  iccxedlt  computer  systems  processing 
classified  information.  Chapter  3  discusses  specific 
security  models,  emphasizing  the  difference  betwoen  the 
LAN  implementation  cons idara* ionr  of  a  secure  network  and 
the  modeling  of  tue  ns-work  security  policy  to  be 
enforced.  Next,  several  approaches  and  implementation 
considerations  (such  as  physical  security  and  data 
encryption)  of  designing  multilevel  secure  LANs  are 
discussed  in  Chapter  4,  again  emphasising  the  distinction 
between  the  implementation  considerations  and  the  security 
policy  model. 
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Chapter  5  then  presents  a  textual  definition  of  a 
prototype  LAN  security  model,  including  a  discussion  of 
the  application  of  the  model  to  particular  LAN 
configurations.  Chapter  6  further  explores  the  critical 
design  issues  of  secure  communications  channels  within  the 
network  and  the  inclusion  of  security  in  the  specification 
of  the  network  protocols.  Chapter  6  also  illustrates  the 
interdependence  of  a  security  policy  model  and  the  various 
design  implementation  considerations  discussed  in  earlier 
chapters.  The  ultimate  goal  is  to  apply  knowledge  of  both 
security  policy  models  and  LAN  implementation  constraints 
to  meet  the  objective  of  processing  multilevel  secure 
(MLS)  information  in  a  local  area  network. 

Conclusions  aud  recommendations  for  further  study  are 
presented  in  Chapter  7,  followed  by  an  appendix  which 
documents  a  particular  data  security  unit  available  at 
A7IT  for  possible  future  research  in  the  incorporation  of 
data  encryption  in  computer  networks. 

S\iafti,ry 

The  ever-increasing  reliance  upon  electronic  storage 
of  information  necessitates  the  incorporation  of  security 
as  a  primary  design  consideration,  especially  in  computer 
systems  and  networks  which  process  sensitive  or  personal 
information.  Therefore,  this  research  project  identifies 
and  analyses  the  design  requirements  of  ensuring  the 
security  of  classified  data  in  a  local  area  network  of 
computers , 
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Data  security  in  computer  networks  is  becoming 
increasingly  important,  owing  to  the  expanding  role  of 
distributed  computation,  distributed  databases,  and 
telecommunication  applications  such  as  electronic  mail  and 
electronic  funds  transfer.  Additionally,  the  Department  of 
Defause  needs  to  process  data  at  various  levels  of 
security  while  ensuring  that  unauthorized  access  to 
classified  information  will  not  occur.  Although  there  are 
numerous  and  various  requirements  to  protect  information, 
both  corporate  and  government,  this  thesis  will  consider 
primarily  the  area  of  military  security. 


Military  security  is  necessary  due  to  the  existence 
of  information  that,  if  known  by  an  enemy,  could 
potentially  damage  the  national  security.  The  hierarchy  of 
military  security  recognises  the  need  for  different 
sensitivity  levels,  since  not  all  information  is  equally 
sensitive  to  disclosure.  The  recognised  sensitivity 
levels,  in  increasing  order  of  impact  on  national 
security,  are  "Unclassified",  "Confidential",  "Secret", 
and  "Top  Secret".  Information  that  has  been  assigned  any 
of  the  three  levels  above  "Unclassified"  is  referred  to  as 
"Classified"  information. 
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In  addition  to  a  tanaitivity  laval,  a  finar  dagrae  of 
claaaif ication  has  baan  craated  batad  on  an  ind ividuala ' 9 
"nead-to-knov" .  Although  this  "nead-to-knov"  princip 
applies  to  all  claaaifiad  information,  in  some  case* 
information  ralating  to  apacific  aubjact  araaa  ia  formally 
daaignatad  aa  a  aaparata  catagory  or  "compar tment"  of 
information  (LAND81).  Compartmont  daaignationa  ara  in 
addition  to  tha  aanaitivity  laval  daaignation. 


Compartmanta  may  overlap,  with  aona  information  daaignatad 
aa  baing  in  two  or  more  compartmanta.  Therefore,  a 
"claaaif ication"  (alao  referred  to  aa  "aacurity  level"  or 
"aacurity  partition")  conaiata  of  both  a  aanaitivity  laval 
and  a  (poaaibly  empty)  aat  of  compartmanta. 

Thia  structure  of  military  aacurity  ia  generally 
modeled  aa  a  tvo-dinena ional  matrix,  or  "lattice".  One 
axia  may  repreaent  the  aanaitivity  lavela,  and  the  other 
axia  may  repreaent  tha  compartment ( a ) .  Therefore,  a 
particular  aacurity  partition  may  be  represented  in  a 
digital  computer  aa  a  point  or  set  of  points  vithin  the 
lattice.  Figure  2  illustrates  such  a  lattice  hierarchy. 


with  a  global  lover  bound  of  "Unclassified  -  No 
Categories"  and  a  global  upper  bound  of  "Top  Secret  -  All 
Categories". 

Since  the  purpose  of  the  classification  system  is  to 
prevent  the  uncontrolled  dissemination  of  sensitive 
information,  mechanisms  are  required  to  ensure  that  those 
individuals  allowed  access  to  classified  information  will 
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not  distribute  it  improperly.  A  security  "clearance”  may 
be  granted  to  an  individual,  indicating  that  certain 
formal  procedures  and  investigations  have  been  carried  out 
and  that  the  individual  is  trustworthy  with  information  up 
to  a  certain  security  level.  Therefore,  security  policy 
dictates  which  individuals  (based  on  the  individual's 
security  clearance)  may  have  access  to  certain  classified 
information  (based  on  the  security  classification  of  the 
information).  In  a  computer  system  or  network,  the 
enforcement  of  a  security  policy  first  involves  the 
identification  of  potential  threats  to  the  security  o *  the 
information  contained  within  the  computer  or  network  of 
computet  s  . 

Security  Threats 

The  use  of  computers  to  store  and  modify  information 
may  greatly  simplify  the  composition,  editing  (word 
processing),  distribution  (electronic  mail),  and  reading 
of  messages  and  documents.  However,  information  contained 
in  a  computer  system  must  be  protected  from  three  primary 
threats : 

1.  Unauthorized  disclosure  of  information. 

2.  Unauthorized  modification  of  information. 

3.  Unauthorized  withholding  of  information  (denial 
of  service) . 
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In  Che  military  security  system,  an  individual  is 
authorized  to  view  information  classified  within  his  own 
security  clearance  (sensitivity  level  plus  need-to-know)  . 
The  first  threat  above  describes  the  case  where  an 
individual  is  able  to  gain  access  to  information 
classified  above  his  own  security  clearance  level.  The 
second  threat  arises  if  an  individual,  even  though  he  may 
possess  the  appropriate  security  clearance  to  view  a 
classified  document  (or  to  read  a  file),  is  able  to  modify 
the  document  (or  to  write  to  a  file)  without  possessing 
the  authority  to  modify  it.  The  third  threat  depicts  a 
potential  situation  in  which  an  authorized  user  with  an 
appropriate  security  clearance  is  denied  access  to  a 
classified  document  (inadvertently  or  intentionally). 
Landwehr  also  discusses  subclasses  of  these  threats  along 
with  other  threats,  noting  that  most  formal  security 
models  do  not  address  threats  such  as  wiretapping 
(LAND 81 ) . 


Each  of  these  three  primary  threat  areas  are  further 
aggravated  when  computer  systems  are  interconnected  via  a 
network  sucU  as  a  LAN.  A  single  computer  system  may 
incorporate  a  centralized  "security  kernel"  or  some  other 
single  security  focal  point  responsible  for  enforcing  a 


security 

policy.  A  network  of  computers  may  or 

may 

not 

contain 

a  centralized 

security 

focal  point, 

and 

the 

security 

enforcement 

mechanisms 

may  themselves 

become 

distributed  throughout 

the  network.  For  example, 

the 
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CSMA/CD  network  access  protocol  (described  in  Chapter  1) 

v\ 

'3j>,'  actually  broadcasts  all  network  messages  to  all  network 
subscribers,  assuming  that  only  the  network  node  to  which 
the  message  is  addressed  will  bother  to  process  it.  This 
poses  a  significant  problem  in  protecting  the  network 
messages  from  unauthorized  disclosure  to  other  network 
subscribers  who  may  not  possess  the  necessary  security 
clearances.  Some  form  of  communications  security,  such  as 
the  encryption  of  the  actual  data  messages  within  the 
network,  must  therefore  be  an  integral  part  of  the  network 
design. 

The  visibility  of  all  network  data  traffic  to  all  LAN 
subscribers  poses  a  significant  potential  security  threat 


a  resource  is  only  allowed  to  process  data  at  one 
particular  classification  level. 

At  present,  the  Department  of  Defense  uses  four  modes 
of  operation  to  accredit  computer  systems  processing 
classified  information  (LAND83): 

1.  Dedicated:  All  system  equipment  is  used 

^  exclusively  by  that  system,  and  all 

users  are  cleared  for  and  have  a 
need-to-know  for  all  information 
processed  by  the  computer  system. 

2.  System  High:  All  Equipment  is  protected  in 

accordance  with  requirements  for  the 
most  classified  information  processed 
by  the  system.  All  users  are  cleared 
to  that  level,  but  some  users  may  not 
have  a  need-to-know  for  some  of  the 
inf ormat ion . 

3.  Controlled:  Some  users  have  neither  a  security 

clearance  nor  a  need-to-know  for  some 
information  processed  by  the  system, 
but  separation  of  users  and  classified 
material  is  not  essentially  under 
operating  system  control  (i.e.,  manual 
intervention  by  a  tystam  security 
officer)  . 

4.  Multilevel:  Some  users  have  neither  a  security 

clearance  nor  need-to-know  for  some 


information  processed  by  this  system, 
and  separation  of  personnel  and 
material  is  accomplished  by  tbe 
operating  system  and  associated  system 
software. 


Definitions  of  these  modes  are  provided  in  DoD 
Directive  5200.28  (DOD78).  Depending  on  the  operating 

environment  of  a  LAM,  it  may  need  to  be  accredited  for 
operation  in  any  one  of  the  four  modes.  Realistically,  a 
LAN  will  probably  need  to  be  accredited  for  either 

Controlled  Mode  or  Multilevel  Mode,  since  a  variety  of 
ussts  may  have  access  to  the  LAM  and  it  may  be 

inappropriate  or  impossible  for  all  LAN  users  to  obtain 
the  highest  possible  security  clearance. 

gama.  fy 

Data  security  in  computer  networks  is  becoming  an 

increasingly  important  design  issue..  This  research 
focusses  upon  the  military  security  environment, 
emphasizing  the  protection  of  classified  information  from 


unauthorized  disclosure.  Three  primary  security  threats 
must  be  considered,  with  the  added  complexity  of  securing 
a  distributed  electronic  information  media  such  as  a  LAN. 
A  means  of  illustrating  the  overall  approach  to  security 
in  a  complex  computer  system  or  network  may  be  embodied  as 
a  formal  security  model  of  what  must  be  achieved  to  ensure 
security  policies  are  not  violated.  In  the  next  chapter 


computer  security  models  will  be  discussed,  emphasizing 
the  distinction  betveen  security  policy  models  and  LAN 
implementation  considerations. 


XXX.  COMPUTER  SECURITY.  MODELS 
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The  previous  chapter  explained  various  security 
concepts,  including  a  discussion  of  military  security  and 
information  security  as  it  relates  to  computer  systems  and 
networks.  The  next  chapter  will  offer  some  insight  into 
the  implementation  aspects  of  security  in  local  area 
networks  of  computer  systems.  However,  the  distinction 
between  a  formal  security  policy  model  and  the  actual 
implementation  details  of  security  enforcement  mechanisms 
should  be  stressed.  The  transformation  from  a  given 
security  model  to  an  operable,  secure  computer  system  or 
network  is,  unfortunately,  not  a  well-defined  process.  In 
fact,  the  applicability  of  computer  security  models  to 
date  has  focussed  primarily  upon  a  single  computer  system 
rather  than  a  network  of  computers. 

Although  problems  in  computer  network  security  are 
closely  paralleled  by  models  and  mechanisms  developed  in 
the  course  of  research  in  computer  system  security, 
network  implementation  considerations  may  introduce  some 
additional  complicating  factors.  For  example,  security 
mechanisms  incorporated  in  a  single  computer  system  which 
is  accessed  via  a  computer  network  may  be  rendered 
ineffective  if  the  computer  network  fails  to  provide  a 
secure  communication  path  between  each  user  and  the 
computer  system. 
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This  chapter  will  discuss  computer  security  models 
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which  are  in  existence  today,  focussing  on  the 
Bel  1-LaPadula  security  model  and  its  applicability  to 
modeling  security  in  computer  networks.  The  potential 
deficiencies  of  security  models  as  applied  to  local  area 
computer  networks  will  be  presented,  highlighting  the  need 
to  integrate  security  policy  models  with  LAN 
implementation  considerations  to  form  a  security 
architecture . 

Security  Models 

A  computer  system  or  network  which  is  to  be  certified 
to  pr  cess  classified  information  must  meet  certain 
security-related  criteria,  usually  in  the  form  of  a 
seen  y  model.  A  system  security  model  defines  the 
secur.  _y  rules  or  policy  that  must  be  enforced  by  the 
system  implementation. 

The  "lattice  model"  of  security  levels  is  widely  used 
to  represent  the  structure  of  military  security  levels 
(LAND81  ,  KU081),  as  mentioned  earlier  in  Chapter  2.  Since 
a  lattice  is  a  finite  set  of  ordered  elements,  security 
classifications  (which  include  a  sensitivity  level  and  a 
(possibly  empty)  set  of  compartments)  may  be  represented 
as  ordered  elements  within  the  lattice. 

There  are  a  limited  number  of  security  models  in 
existence  today,  including  the  UCLA  Data  Secure  Unix 
model,  the  Take-Grant  model,  the  High-Water  Mark  model, 
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and  the  Bell-LaPadula  model  (LAND81),  the  moat  prominent 
of  which  is  the  Bel 1-LaPadula  model  ( BELL7 3 a ,  BELL7 3 b  , 
BELL74).  A  more  recent  security  model  proposed  by  Landvehr 
(LAND82)  for  military  message  systems  (MMS)  developed  a 
new  approach  to  defining  security  models  based  on  the  idea 
that  a  security  model  should  be  derived  from  a  specific 
application  (i.e.,  the  family  of  military  message 
systems).  Both  the  Bel 1-LaPadula  security  model  and  the 
MMS  security  model  will  be  discussed  in  this  chapter. 


Be 11-La Pad u la _S e c u r it v  Mad e 1 
c  ince  the  early  1970*8  the  Electronic  Systems 
Division  (ESD)  of  the  United  States  Air  Force  and  the 
MITRE  Corporation  have  been  involved  in  various  projects 
relating  to  secure  computer  systems  design  and  operation. 
One  effort  which  began  in  1972  at  MITRE  initially  produced 
a  mathematical  framework  and  a  model  by  D.  Elliott  Bell 
and  Leonard  J.  LaPadula,  referred  to  as  the  Bell-LaPadula 
security  model.  The  Bell  'LaPadula  security  model  (along 
with  its  subsequent  refinements)  has  been  widely  applied 
in  prototype  Department  of  Defense  systems  (LAMD83).  Carl 
Landwehr  presents  a  detailed  accounting  of  over 
twenty-five  completed  and  on-going  projects  to  develop 
secure  systems,  noting  which  projects  are  based  upon  the 
Bell-LaPadula  model  (LAND83 )  . 

Bell  and  LaPadula  use  finite-state  machines  and 
mathematical  proofs  to  formalize  their  model  (BELL73a, 


i 


3-3 


BELL73b,  BELL74) .  They  first  define  the  various  components 
of  the  finite-state  machine,  then  formally  define  what  it 
maans  for  a  given  state  to  be  secure.  Finally,  they 
consider  the  state  transitions  that  can  be  allowed  so  that 
a  secure  state  can  never  lead  to  an  insecure  state.  State 
representations  and  transitions  rely  on  the  entries  in  a 
"access  matrix". 


Access  Matrix 

There  are  three  principle  components  in  the  access 
matrix:  a  set  of  passive  ".bjecte" ,  a  set  of  active 
"subjects"  which  may  manipulate  the  objects,  and  a  set  of 
access  rules  which  govern  the  manipulation  of  objects  by 
subjects.  Each  subject  has  a  security  "clearance",  and 
each  object  has  a  security  classification.  Each  subject 
also  has  a  "current  security  level",  which  may  not  exceed 
the  subject's  clearance. 

The  access  matrix  is  a  rectangular  array  with  one  row 
per  subject  and  one  column  per  object.  The  entry  for  a 
particular  row  and  column  reflects  the  modes  of  access 
between  the  corresponding  subject  and  object.  The  four 
modes  of  access  are: 

Read-only:  Subject  may  read  the  object  but  cannot 

modify  it 

Append:  Subject  may  vrite  the  object  but  can- 

noc  read  it 

Execute:  Subject  may  execute  the  object  but 
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Read/Writ* : 
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>-> 


cannot  read  or  vrit*  it  directly 

Read/Writ*:  Subject  may  both  read  and  write  the 

object 

In  addition  to  the  four  mode*  of  access,  a  control 
attribute  ia  defined  which  allow*  a  eubject  to  paaa  to 
other  eubject*  eom*  or  all  of  the  acceea  mode*  it 
poseeeeae  for  the  controlled  object.  However,  the  control 
attribute  iteelf  cannot  be  paaaed  to  other  aubjecta.  The 
control  attribute  ia  granted  only  to  the  eubject  that 
created  the  object. 

&is»xix  Y,  gxfljajLfci&i. 

In  order  for  a  given  atate  to  be  conaidered  secure, 
two  security  properties  must  hold: 

1)  Simple  Security  Property:  A  subject  at  a  given 
security  level  may  have  read  access  only  to 
objects  at  the  same  or  lower  security  level 
(referred  to  as  "no  read  up"). 

2)  *-Property  (pronounced  "star-property"):  No 

subject  may  have  append  access  to  an  object  whose 
security  level  is  not  at  least  the  current 
security  level  of  the  subject;  no  subject  has 
read/write  access  to  an  object  whose  security 
level  is  not  equal  to  the  current  security  level 
of  the  subject;  no  subject  has  read  access  to  an 
object  whose  security  level  is  not  at  most  the 
current  security  level  of  the  subject. 
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A  set  of  rules  governing  the  transition  from  one 
state  to  another  are  required  to  preserve  these  two 
security  properties.  Bell  and  LaPadula  defined  rules  to 
provide  the  following  functions: 

A)  get  (read,  append,  execute,  or  read/write) 

access,  to  initiate  access  to  an  object 
by  a  subject  in  the  requested  mode; 

B)  release  (read,  append,  execute,  or  read/write) 

access,  the  inverse  of  get  access; 

C)  give  (read,  append,  execute,  or  read/write) 

access ,  to  allow  the  controller  of  an 
object  to  extend  the  designated  access  to 
another  subject; 

D)  rescind  (read,  append,  execute,  or  read/write) 

access,  the  inverse  of  give  access; 

E)  create  object,  to  activate  an  inactive  object  or 

create  a  new  object; 

F)  delete  object,  to  deactivate  an  active  object; 

G)  change  security  level,  to  allow  a  subject  to  alter 

its  current  security  level. 

It  is  formally,  mathematically  demonstrated  in  BELL74 
that  each  of  the  specified  rules  preserve  both  the  simple 
security  property  and  the  ^-property.  One  further  security 
principle  is  called  the  "tranquility"  principle,  which 
asserts  that  no  operation  may  change  the  classification  of 
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A  reference  monitor,  as  illustrated  in  Figure  3, 
utilises  the  access  matrix  to  check  the  validity  of  a 


subject's  accesses  to  objects.  All  acci 


to  objects  are 


mediated  by  en  enforcement  mechanism,  the  reference 
monitor,  that  refers  to  the  data  in  the  access  matrix.  The 
reference  monitor  rejects  any  accesses  (ineluding  improper 
attempts  to  alter  the  access  matrix  data)  that  are  not 
allowed  by  the  current  protection  state  and  rules.  To  be 
effective,  the  reference  monitor  must  be  small  enough  so 
that  its  correctness  can  be  proven,  and  must  be  tamper 
proof.  The  reference  monitor  is  commonly  associated  with 
the  "security  kernel",  which  is  a  hardware/sof tware 
mechanism  that  implements  the  reference  monitor. 


Security  Kernel 

A  security  kernel  is  ectuelly  e  hardware/ sof tware 
nechaniso  that  implements  a  reference  monitor  (as 
described  above),  but  the  term  has  also  been  used  to 
denote  all  security-relevant  system  software  (AMKS83, 
LAND83).  A  security  kernel  may  be  viewed  as  the  very  heart 
of  a  shelled  operating  system  (as  in  the  conceptual 
shelled  structure  of  the  UNIX  operating  system),  and  is 
responsible  for  mediating  all  references  and  transactions 
between  subjects  and  objects  to  enforce  a  particular 
security  policy.  It  is  necessary  to  keep  the  security 
kernel  as  simple  as  possible  to  enhance  the  verification 
and  proof  of  the  kernel's  adherence  to  a  security  policy. 

Actual  security  kernel  implementations  usually 
include  one  component  called  the  kernel,  which  enforces  a 
specified  set  of  security  rules,  and  other  components 
called  trusted  processes.  These  processes  are  trusted  not 
to  violate  security,  although  they  may  not  be  bound  to  all 
of  the  security  rules.  An  example  of  a  trusted  process 
would  be  a  System  Security  Officer  (SSO)  performing  a 
process  to  downgrade  or  declassify  an  object  or  file. 

Many  projects  have  sought  to  demonstrate  the 
practicality  of  the  security  kernel  approach  (AMES83, 
LAND 83 ,  SCHE83).  A  primary  limiting  factor  on  security 
kernel  implementation  is  the  system  performance 
degradation  due  to  the  fact  that  ail  processes  must  be 
mediated  through  the  security  kernel. 
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Military  Message  Systems 

An  example  of  the  need  to  integrate  a  security  model 
with  particular  network  implementation  considerations  is 
given  in  LAND82,  which  describes  an  informal  security 
model  for  the  family  of  Military  Message  Systems  (MMS). 
This  work  at  the  Naval  Research  Laboratory  (NRL)  is 
investigating  the  use  of  application-based  security  models 
in  the  development  of  military  message  systems  (LAND83). 
Although  the  informal  model  intends  to  encompass  security 
throughout  the  MMS  family,  Landwehr  points  out  that  each 
family  member  (network  node)  requires  a  separate  security 
analysis . 

The  informal  model  presented  has  the  same  general 
structure  as  the  Be  1 1-LaPadula  security  model.  However, 
due  to  the  nature  of  the  data  traffic  in  the  MMS  family, 
the  Bell-LaPadula  concept  of  an  "object"  is  replaced  by  an 
"entity”,  which  is  either  a  "container"  or  an  "object".  A 
container  may  contain  several  objects,  each  of  which  may 
have  a  different  security  level  associated  with  it.  The 
informal  model  in  LAND82  is  comprised  of  several 
definitions  (clearance,  user,  container,  message,  access 
set,  etc.)  supplemented  by  four  "security  assumptions"  and 
ten  "security  assertions"  (such  as  "viewing"  and 
"downgrading") . 

The  concept  of  an  "entity"  recognizes  that  in  a 
network  the  entity  may  be  a  host  (container)  which  must  be 
accessed  first  before  you  can  access  an  "object".  This 
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type  of  extension  to  the  Be  1 1-LaPadula  model  by  developing 
a  hierarchy  of  entities  may  attempt  to  incorporate  the 
distributed  nature  of  a  network  into  the  security  model. 
However,  the  transformation  from  such  a  security  model  to 
an  actual  LAN  design  may  neglect  certain  other  security 
issues  pertinent  to  LANs,  such  as  communications  security 
and  the  structure  of  the  network  protocols.  Since  a 
security  model  is  used  to  illustrate  and  verify  the 
security  aspects  of  a  computer  system  or  network,  this  may 
hinder  the  verification  of  the  LAN's  security  properties. 

This  type  of  security  model  considers  highly 
application-specific  details  to  formulate  a  requirements 
definition  of  overall  system  security.  This  particular 
security  model  illustrates  the  fact  that  modeling  of 
security  in  computer  networks  needs  to  include 
application-specific  implementation  considerations. 

Summary 

Security  models  to  date  have  focussed  primarily  upon 
single  computer  systems  as  opposed  to  computer  networks. 
The  Bell-LaPadula  model  provides  the  basis  for  modeling 
security  policy,  in  terms  of  what  relationships  and 
actions  may  occur  among  subjects  (i.e.,  users)  and  objects 
(i.e.,  data  files)  within  a  computer  system.  The  MMS 
security  model  develops  the  concept  that  a  security  model 
should  be  derived  from  a  specific  application.  Although 
problems  in  computer  network  security  are  closely 
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paralleled  by  models  and  mechanisms  developed  in  the 
course  of  research  of  computer  systems  security,  nef.vors 
implementation  considerations  may  introduce  some 
additional  complicating  factors  for  ensuring  data 
security.  The  next  chapter  will  present  and  discuss  some 
of  these  important  implementation  considerations. 
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In  addition  to  the  more  abstract  concept  of  the 
computer  security  model,  several  design  and  implementation 
approaches  may  lend  some  insight  into  the  actual 
implementation  constraints  that  security  imposes  upon  a 
computer  network.  Several  approaches  to  achieving  a 
multilevel  secure  local  area  network  are  described  below, 
including  physical  separation  of  independent  LANs  (each 
dedicated  to  operation  at  a  different,  fixed  security 
level),  mult iplaxiog  security  levels  in  a  single  LAN,  data 
encryption,  and  trusted  network  interface  units.  A 
detailed  presentation  of  data  encryption  and  decryption 
algorithms  is  beyond  the  scope  of  this  thesis,  but  may  be 
found  in  MEYE82.  Rather,  an  overview  of  data  encryption  is 
presented  to  illustrate  the  potential  complexity  of 
cryptographic  key  distribution  and  management  schemes 
which  must  be  addressed  in  a  LAN  implementation. 

Security  in  networks  differs  in  several  aspects  from 
security  in  a  centralized  computer  system.  A  primary 
reason  is  the  distributed  nature  of  a  LAN  (as  opposed  to 
the  more  localized  nature  of  a  single  computer  system)  and 
the  complication  of  establishing  and  maintaining  secure 
communication  channels  between  LAN  subscribers.  A  second 
reason  is  that  the  network  protocols,  if  not  properly 
designed,  can  be  used  by  an  intruder  to  gain  access  to  the 
network  data  or  have  it  misrouted  within  the  network.  In  a 
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long-haul  type  of  computer  network,  the  switching  nodes 
and  concentrators  are  distributed  physically  and  may  or 
may  not  be  considered  secure. 

Physical  Security 

Physical  security  refers  to  the  careful  control  of 
physical  access  to  or  exposure  of  specific  sensitive 
resources  such  as  classified  information.  Examples  of 
physical  security  include  safes  for  storage  of  classified 
information,  restricted  access  areas  of  buildings,  and 
security  guards  to  prevent  unauthorized  personnel  from 
entering  a  restricted  area.  If  complete  physical  security 
were  applied  to  a  computer  system  or  a  local  area  network, 
all  components  of  the  computer  system  or  network  would  be 
required  to  be  physically  secure.  This  means  that  all  host 
processors,  data  terminals,  printers,  cables  (or  other 
data  transmission  medium)  and  all  other  peripheral 
equipment  must  be  physically  secure.  Physical  security 
also  includes  measures  to  prevent  information  from  leaving 
the  computer  site  without  proper  authorization. 

Unfortunately,  complete  physical  security  severely 
constrains  an  information  processing  system.  For  example, 
complete  physical  security  precludes  the  connection  of 
such  a  system  to  a  netvork  where  other  users  are  present 
vho  may  not  possess  proper  authorisation  to  access  the 
classif  ad  information.  Additionally,  complete  physical 
security  may  reduce  the  chance  of  compromise,  but  will 
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not,  in  a  multi-user  or  multilevel  computer  network, 
prevent  unauthorized  disclosure,  modification,  addition, 
or  destruction  of  information,  since  anyone  with  access  to 
the  network  may  have  access  to  all  the  information 
contained  in  the  network.  Therefore,  in  addition  to  the 
traditional  concept  of  physical  security  and  limiting 
"physical"  access  to  a  particular  resource,  limitation  of 
"electronic"  access  to  a  resource  must  also  be  taken  into 
account . 

Data  encryption  techniques  are  an  example  of  limiting 
the  "electronic"  access  if  only  authorized  personnel 
possess  the  decrypting  "key"  to  decipher  the  information. 
Encryption  will  be  discussed  later  in  this  chapter. 

One  additional  physical  security  consideration  is  the 
prevention  of  electromagnetic  emanation  from  electronic 
devices  such  as  computer  terminals  (also  referred  to  as 
"Tempest"  requirements).  With  proper  equipment,  these 
electromagnetic  waves  may  be  received  by  an  enemy  and 
analyzed  to  reproduce  the  information  from  the 
electromagnetic  source.  One  protective  measure  is  to 
shield  all  the  electronic  components  to  reduce  or 
eliminate  this  electromagnetic  radiation.  This  thesis  will 
not  go  into  detail  on  electromagnetic  protective  measures, 
but  will  assume  that  appropriate  physical  security  will  be 
provided  as  specified  by  the  appropriate  Department  of 
Defense  regulations. 
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While  physical  security  is  still  necessary,  it  oust 
be  complemented  by  certain  electronic  security  measures 
such  as  data  encryption  or  "trusted  software",  each  of 
which  will  be  discussed  later  in  this  chapter. 

Physically  Separate  LANs 

This  approach  implements  each  particular  security 
leyel  as  a  physically  separate  local  area  network,  with 
all  data  traffic  being  at  the  same  single  security  level 
in  each  separate  LAM.  All  computers  and  terminals  must  be 
physically  protected  to  the  security  level  of  the  LAN  to 
which  they  are  connected.  This  may  be  a  viable  approach  if 
only  very  few  distinct  security  levels  need  to  be 
processed.  For  example,  certain  security  partitions 
(sensitivity  level  plus  compartment  set)  may  be 
geographically  zoned,  so  separate  LANs  for  each  security 
partition  could  be  a  viable  solution.  However,  the 
duplication  of  LAN  resources  may  rapidly  become  cost 
prohibitive  as  the  number  of  separate  security  partitions 
increases.  Another  drawback  to  this  approach  is  the  lack 
of  flexibility  to  the  user  who  needs  to  frequently  access 
several  different  levels  of  classified  information. 
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Multiplexing  Security  Levels 
This  approach  distinguishes  different  security  levels 
on  a  single-network  LAN  by  assigning  different  channels  on 
a  broadband  cable  (via  frequency  division  multiplexing 
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(FDH)  or  time  division  multiplexing  (TDM))  to  different 
security  levels.  This  is  a  relatively  simple  approach  in 
terms  of  off-the-shelf  imp lementab il ity ,  but  constrains 
the  system  Co  a  relatively  small  upper  bound  on  the  number 
of  distinct  security  levels  (which  may  be  large  when  all 
combinations  of  compartments  are  considered).  Addition¬ 
ally,  this  approach  requires  fixed  bandvidth  allocation 
for  each  security  level  regardless  of  relative  traffic 
load  and  would  require  complex  frequency  shifting  for 
fully  multilevel  operation. 

Encryption. 

When  designing  a  computer  network,  several  sources  of 
data  insecurity  need  to  be  considered.  Prominent  among 
these  are  spurious  message  injection,  message  reception  by 
unauthorized  r  eivers,  transmission  disruption,  and 
rerouting  data  to  improper  nodes.  To  maintain  security 
against  these  hazards,  a  combination  of  encryption 
algorithms  on  the  data  and  appropriate  protocols  for 
message  exchanges  may  be  employed.  These  techniques  also 
facilitate  tb«*  ;-:„ad?  ..  of  other  problems  in  computer 
communication  networks,  such  as  key  distribution, 
authentication,  privacy,  digital  signatures,  network  mail, 
and  transaction  verification. 

Recalling  the  abstraction  of  network  communications 
as  a  layered  protocol  architecture  (as  illustrated  in 
Figure  1),  data  encryption  may  conceivably  be  performed  in 
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any  of  the  seven  protocol  layers.  Since  the  network 
communication  media  may  be  easily  accessed,  there  might  be 
a  need  for  encryption  on  each  data  link  witnin  a  network, 
such  as  encrypting  all  data  at  the  bottom  protocol  layers. 
Alternatively,  one  can  also  choose  to  encrypt  data  above 
the  network  layer,  i.e.,  the  ho st-to-host  layer,  which 
constitutes  an  example  of  end-to-end  encryption.  The 
higher  the  layer  at  which  encryption  is  performed,  the 
less  the  lower  layers  of  the  communications  subnet  (layers 
1-3)  have  to  be  specially  tailored  to  perform 
application-specific  security  tasks.  Therefore,  the 
communications  subnet  layers  need  not  be  altered  to 
accomodate  secure  communications  when  encryption  is 
performed  at  a  higher  layer.  However,  data  link  encryption 
can  mask  traffic  characteristics,  which  by  itself  may  be 
of  interest  to  an  unauthorized  party.  Data  traffic 
characteristics  may  be  readily  visible  to  any  potential 
network  intruder  if  the  data  packet  addressing  information 
is  not  encrypted.  Therefore,  a  combination  of  data  link 
and  end-to-end  encryption  techniques  may  be  desirable  for 
a  particular  network  application. 

Use  of  end-to-end  encryption  (above  protocol  layer  3) 
as  an  approach  to  secure  communications  in  both  wide-area 
packet-switched  networks  and  in  local  area  networks  is 
currently  being  researched.  This  approach  requires  a  key 
distribution  facility  (either  at  each  LAN  site  or  possibly 
at  a  central  facility  or  network  node,  called  a  Key 
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Distibucion  Center  (KDC))  and  encryption/decryption  units 
in  each  network  terminal  interface  unit.  A  point-to-point 
version  of  end-to-end  encryption,  known  as  the  "private 
line  interface"  (PLI),  has  been  successful  in  specific 
applications  across  wide-area  packet-switched  networks, 
and  is  commonly  employed  to  provide  classified 
communications  on  the  ARPANET  (SIDH82b). 

There  are  two  basic  approaches  to  encryption.  The 
first  requires  use  of  a  secret  transformation  key  to 
encrypt  data  that  is  then  sent  over  a  public  channel.  At 
the  receiving  station,  the  same  key  is  used  to  convert  the 
enciphered  data  back  into  the  original  form  (see  Figure 
4).  The  transformation  key  is  sent  to  the  authorized 
receiver  over  a  secure  channel  and  is  therefore 
unavailable  to  other  parties.  This  method  constitutes  a 
private-key  cryptosystem  (MEYE82). 

The  second  approach  is  based  ou  the  use  of  separate 
keys  at  the  transmitting  and  receiving  stations  -  keys 
that  cannot,  in  practice,  be  obtained  from  each  other. 
Each  user  keeps  one  of  these  two  transformations  secret 
and  publishes  the  other,  which  can  then  be  used  to 
transform  data  intended  for  the  user.  Systems  employing 
this  approach  are  called  public-key  cryptosystems  (DENN83, 


■i  SMIT83),  since  the  encryption  key  may  be  public  knowledge 


The  Date  Encryption  Standard  (DES)  of  the  National 
Bureau  of  Standards  was  adopted  for  use  in  the  United 
States  in  1977  (MEYE82).  Thia  private-key  cryptosystem  is 
in  use  today  end  haa  been  implemented  in  hardware  aa  well 
(C0LL79).  The  major  reason  for  the  popularity  of  the  DES 
i«  ita  speed.  It  takes  about  100  milliaeconde  to  implement 
on  an  8-bit  microprocessor,  and  the  time  can  be  brought 
down  to  about  5  microseconds  on  a  custom-built  LSI 
(large-scale  integration)  device  (DAVI81).  In  contrast, 
with  the  Rivest-Shamir-Adleman  (RSA)  algorithm,  the  most 
promising  public-key  system,  encryption  of  500-bit  numbers 
(a  block  sise  necessary  for  security)  using  available 


technology  takes  about  a  half  second  (KAK83).  This  speed 
is  unacceptable  for  many  applications  such  as  a 
key-management  system,  and  public-key  algorithms  are 
already  being  used  for  this  purpose. 

The  size  of  the  encryption  or  decryption  keys  varies 
between  different  cryptographic  codes,  but  analysis  of  the 
relative  security  of  a  cryptographic  code  focusses  on  the 
probability  of  "guessing"  or  calculating  the  crypto  keys 
employed.  Naturally,  the  more  digits  (or  bits)  in  the 
crypto  key,  the  more  difficult  it  becomes  to  "crack"  the 
encryption  code.  As  an  example,  the  DES  uses  an 
encryption/decryption  key  size  of  64  bits,  of  which  56 
bits  are  used  directly  by  the  cryptographic  algorithm  and 
8  bits  are  used  for  error  detection.  Detailed  analysis  of 
the  strength  of  a  particular  cryptographic  code  to 
withstand  analytical  attack  may  be  found  in  MEYE82. 
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Kay  distribution  and  management  may  add  significant 
overhead  to  a  network.  An  example  of  a  DES 
encryption/decryption  device,  the  CR-2Q0  Data  Security 
Unit,  is  diacuased  in  Appendix  A.  The  CR-200  unit  ia 
available  for  reaaarch  projecta  at  the  Electrical 
Engineering  Department  of  the  Air  Force  Inatitute  of 
Technology.  Alao,  an  example  of  a  centraliaed  key 
diatribution  and  management  acheme  ia  given  in  STEI82,  and 
indicatea  the  level  of  handahaking  necessary  between 
computer  systems  in  one  design  for  a  secure  network.  Key 
diatribution  and  management  schemes  may  provide  the  basis 
for  secure  communication  channels  within  a  LAN. 
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Senders  and  receivers  of  sensitive  information  may 
require  secure  means  for  validating  and  authenticating  the 
electronic  messages  they  exchange.  Validation  refers  to 
certification  of  the  contents  of  a  message,  and 
authentication  refers  to  certification  of  the  message's 
originator.  A  proposed  method  to  accomplish  both  functions 
is  the  use  of  a  digital  signature,  which  is  appended  to 
(or  an  integral  part  of)  every  message  (TANE81,  KU081 , 
AKL83).  A  digital  signature  is  simply  a  string  of  0's  and 
1's,  and  may  be  different  for  each  message  sent  (unlike  a 
handwritten  "analog"  signature),  which  makes  a  digital 
signature  extremely  difficult  to  duplicate  without  some 
private  information  (AKL83). 
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Trusted  Network  Interface  Units 


The  overall  objective  of  a  local  area  network  that  is 
a inultaneous ly  servicing  users  at  a  variety  of  different 
security  levels  is  to  provide  full  multilevel  protection 
of  the  data.  Subscribers  (boat  computers  or  terminals)  to 
a  LAM  may  be  limited  to  operate  at  a  single  level  of 
security*  or  they  may  be  multilevel  and  trusted  to  operate 
at  a  range  of  security  levels.  One  approach  to  ensuring 
the  full  multilevel  protection  of  the  data  on  a  LAM  is  to 
use  a  "trusted  interface  unit"  (TIU)  to  enforce  security 
access  restrictions  to  classified  data  (SIDH82a).  All  data 
packets  on  the  LAM  medium  are  plain  text  (no  encryption  is 
performed)*  and  the  trusted  network  interface  u^nit 
arbitrates  all  security-related  flow  of  data  from  the  LAN 
medium  to  a  user  terminal  or  host. 

For  single-level  LAM  subscribers*  communication  is 
restricted  to  those  at  the  same  security  level.  This 
restriction  is  enforced  by  the  TIU  used  by  each  subscriber 
to  interface  to  the  LAN  and  is  based  on  a  security  level 
field  in  the  header  of  each  data  packet.  The  TIU's  (not 
the  individual  host  computers  or  terminals)  are  trusted  to 
verify  and  enforce  the  security  markings  in  the  packets. 
Similarly  for  multilevel  subscribers  (a  multilevel  secure 
host  computer  or  terminal)*  communication  is  restricted 
according  to  the  usual  security  constraints.  Security 
levels  are  enforced  by  the  TIU  for  the  multilevel  host, 
with  the  host  trusted  to  choose  the  specific  security 
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level  of  eajh  packet  it  transmits.  Likewise,  the 
multilevel  host  is  trusted  to  receive  packets  at  the  range 
of  its  security  levels  and  to  properly  protect  the  data 
according  to  the  classification  in  the  packet  header. 
Figure  5  shows  a  simple  multilevel  LAN  with  single-level 
and  multilevel  subscribers  (SIDH82b).  This  design 
considers  the  potential  for  multilevel  host  processors, 
which  as  of  yet  may  not  be  proven  to  be  truly  multilevel 
secure.  More  accurately,  the  hosts  probably  operate  in  a 
dedicated  or  system-high  mode. 

As  discussed  earlier,  appropriate  physical  security 
protection  requires  that  the  entire  LAN  medium  and  all 
TIU's  be  physically  secured  to  "system  high",  the  highest 
security  classification  to  be  processed  in  the  LAN.  It  may 
be  unreasonably  costly  to  protect  all  TIU's  and  the  entire 
LAN  medium  in  a  network  where  most  of  the  users  are  at 
lower  or  unclassified  security  levels. 

To  alleviate  this  problem,  the  simple  multilevel  LAN 
is  extended  to  incorporate  the  concept  of  physically 
separate  subnetworks  whose  LAN  mediums  are  each  physically 
protected  to  some  maximum  level  that  may  be  less  than  the 
maximum  level  of  the  entire  local  area  network.  The 
subnetworks  are  connected  by  "bridges"  in  such  a  way  that 
the  entire  set  of  subnetworks  appear  as  a  single  local 
area  network  to  each  TIU  and  subscriber. 
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An  example  of  a  multilevel  LAN  composed  of  several 
subnetworks  is  shown  in  Figure  6.  Note  that  data 
encryption  is  used  only  where  portions  of  the  LAN  medium, 
Tin-subscriber  link,  or  bridge  link  must  pass  through 
physically  unprotected  areas.  Similar  to  gateways  in 
wide-area  networks,  the  bridges  route  packets  between  LAN 
subnetworks  with  identical  protocols.  They  also  perform  a 
security  check  to  ensure  that  information  from  a  high 
level  TIU  on  one  subnetwork  does  not  flow  to  a  lower  level 
subnetwork.  Therefore,  subnetworks  need  only  be  physically 
protected  and  trusted  to  maintain  separation  of  data 
within  the  range  of  levels  of  subscribers  on  that 
subnetwork . 


O 

Protocol  Modification  for  Security 

As  mentioned  earlier,  the  issue  of  specific  network 
protocols  must  be  addressed  in  order  to  incorporate 
multilevel  security.  One  proposed  protocol  modification 
(SIDH82a)  is  based  upon  an  existing  operational  protocol, 
therefore  minimizing  the  modifications  to  the  protocol  so 
as  not  to  seriously  affect  existing  performance  studies  or 
implementation  techniques.  The  existing  protocol  is  the 
"Carrier  Sense  Multiple  Access  with  Collision  Detection" 
(CSMA/CD)  protocol,  used  by  Ethernet,  that  has  been 
proposed  for  the  IEEE  Standard  802. 
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Ethernet  Link  Protocol 


Secure  LAN  Link  Protocol 


A  military  computer  network  may  use  IEEE  802  Standard 
protocols  at  the  lower  protocol  layers,  but  any  discussion 
of  protocols  should  be  done  in  light  of  Department  of 
Defense  standard  protocols.  The  DoD  level  4  Standard 
Transmission  Control  Protocol  (TCP)  may  be  used  to 
maintain  the  end-to-end  integrity  of  the  network 
(DAKP81a).  The  DoD  Standard  Internet  Protocol  (IP) 
contains  both  security  fields  and  addressing  capabilities 
for  multiple  networks  (DA&P81b).  The  security  implications 
and  provisions  of  the  Internet  Protocol  are  discussed 
further  in  Chapter  6 . 


Trusted  Interface  Unit 


The  TIU  is  responsible  for  enforcing  the  security 


policy  based  on  the  security  level(s)  of  its  subscriber 
and  the  security  level  of  each  packet  (SIDH82a).  The 


multilevel  TIU  for  a  host  or  terminal  will  contain  fully 


trusted  software.  The  security  processor  in  such  a  TIU 


would  only  be  able  to  limit  communications  to  the  range  of 
levels  at  which  the  host  or  terminal  is  authorized  to 


operate.  The  rest  of  the  TIU  would  have  to  be  trusted  to 
properly  identify  the  security  level  of  the  data  to  the 
host  within  that  range,  so  that  the  host  (which  is 
trusted)  can  make  the  correct  decisions  to  provide  the 
necessary  protection  of  the  multilevel  data. 


Summary 

Enforcing  security  in  a  computer  network  may  impose 
some  implementation  constraints  upon  the  network.  Some 
implementation  approaches  (physically  separate  LANs, 
multiplexing  security  levels,  trusted  network  interface 
units,  and  data  encryption)  have  intrinsic  limitations, 
but  may  be  well-suited  to  a  specific  network  application. 
Data  encryption  offers  some  security  advantages,  but  the 
distribution  and  management  of  cryptographic  keys  could 
become  a  cumbersome  task  in  a  computer  network.  The 
trusted  network  interface  unit  approach  provides  some 
implementation  flexibility  and  may  be  adapted  to  various 
network  applications,  but  the  separation  and  multilevel 
protection  of  the  data  within  a  LAN  needs  to  be  further 
addressed . 

Each  of  these  MLS  LAN  approaches  involve 
implementation  considerations.  In  addition  to  the  security 
policy  models  described  in  Chapter  3,  a  particular  LAN 
application  may  necessitate  unique  security-related 
requirements.  Therefore,  various  LAN  implementation 
considerations  need  to  be  integrated  with  a  security 
policy  model  to  design  a  "security  architecture"  for  a 
local  area  computer  netvork.  The  next  chapter  will  define 
a  prototype  LAN  security  model  upon  which  a  security 
architecture  design  may  be  based. 
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Design  and  implementation  of  a  secure  local  area 
network  involves  many  complex  issues,  as  described  in  the 
previous  chapters.  However,  the  ultimate  objective  of 
system  certification  to  process  multilevel  classified  data 
relies  on  the  verification  of  the  system's  security 
enforcement  policy.  As  described  in  Chapter  3,  computer 
security  models  have  served  as  the  fundamental  description 
of  how  a  computer  system  will  address  security  policy. 

The  applicability  of  computer  security  models  to  date 
has  focussed  primarily  upon  a  single  computer  system 
rather  than  a  network  of  computers.  Due  to  technology 
trends  towards  the  interconnection  of  computer  systems 
into  computer  networks,  the  resulting  impact  on 
information  security  must  be  addressed.  As  illustrated  in 
the  previous  discussion  of  the  Bell-LaPadula  security 
model  in  Chapter  3,  this  model  specifies  precisely  what 
conditions  must  be  met  (in  terms  of  subjects,  objects, 
access  modes,  and  security  principles)  to  assure  secure 
system  states.  This  security  model  is  readily  applicable 
to  a  single  computer  system,  since  the  design  of  a  single, 
centralized  security  enforcement  mechanism  (via  an  access 
matrix,  or  reference  monitor)  is  fairly  well-specified  by 
the  model. 

Since  the  Bel 1-LaPadula  security  model  applies  to 
single  processor  hosts  and  to  multiprocessor  hosts,  how 
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can  the  Bell-LaPadula  model  be  applied  to  a  LAN?  From  a 


global  perspective  of  a  LAN  as  a  "virtual  machine",  the 


Bell-LaFadula  model  may  be  applicable  to  the  security 


policies  vhich  specify  which  network  users  (subjects)  have 
access  to  what  network  resources  (objects).  This  chapter 


will  present  a  prototype  LAN  security  model  which 


incorporates  the  basic  structure  of  the  Bell-LaPadula 


model,  yet  specifically  considers  the  class  of  local  area 


computer  networks.  The  prototype  model  will  first  be 


presented  and  discussed,  followed  by  two  examples  of  how 


the  model  would  be  applied  to  particular  LAN 


configurations.  The  incorporation  of  the  LAN  security 


model  into  a  LAN  security  architecture  will  then  be 


discussed  in  Chapter  6. 


This  section  provides  a  textual  definition  and 


description  of  the  prototype  LAN  security  model.  This 


model  closely  parallels  the  Bel 1-LaPadula  security  model 
(BELL73a,  BELL73b,  BELL74) .  The  Bel 1-LaPadula  model  has 


already  been  widely  applied  in  prototype  Department  of 


Defense  computer  systems  (LAND83),  and  is  based  on  formal 


mathematical  proofs.  The  prototype  LAN  security  model 


presented  in  this  chapter  may  therefore  be  viewed  as  an 


extension  of  the  Bell-LaPadula  model  to  incorporate 


several  features  of  distributed  computer  networks.  One 


feature  that  is  included  is  the  notion  of  an  "object" 
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being  comprised  of  (potentially  many)  component  "elements" 
and/or  other  "objects".  Add  it ional ly ,  the  LAN  security 
model  is  baaed  on  the  underlying  assumption  of  secure 
communication  channels  existing  within  the  LAN. 

This  section  will  present  the  prototype  LAN  security 
model  by  explicitly  defining  its  component  parts,  stating 
four  security  assumptions,  and  then  stating  eight  security 
assertions  which  must  be  demonstrated  to  hold  true  for  a 
multilevel  secure  LAN. 

Model  Definitions 

Entity:  An  entity  is  either  a  subject,  an  object,  or  an 

element . 

Subject:  A  subject  is  an  active  user  of  a  computer  system 

or  any  entity  acting  on  behalf  of  a  user. 
For  example,  processes,  jobs,  and 
proceduras  may  all  be  considered  subjects. 
A  subject  has  a  clearance  which  allows 
access  to  objects  and  elements  having 
classifications  which  are  a  subset  of  the 
subject's  clearance. 

User:  A  person  authorized  to  use  the  LAN. 

Roles:  Certain  users  may  have  particular  roles  to  perform, 

such  as  downgrading  classification  levels, 
distributing  objects  within  the  LAN,  or 
releasing  objects.  To  act  in  a  given  role, 
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a  user  must  be  Authorised  to  perform  it. 
Special  roles  may  be  associated  with  a 
trusted  process  or  a  very  limited  number 
of  trusted  users. 

Object:  An  identifiable  resource  or  date  container  within 

a  computer  system  or  LAH.  Software-created 
entities  such  as  programs,  files,  and 
directories  are  objects,  as  veil  as 
hardware  resources  and  devices  such  as 
memory  blocks,  disk  tracks,  tapes, 
printers,  and  terminals.  An  object  has  a 
security  classification  and  may  contain 
elements  (each  with  its  own  classifica¬ 
tion)  and/or  other  objects. 

Element:  An  element  is  the  smallest  unit  of  information  in 

the  system  to  which  a  classification  is 
explicitly  attached.  Therefore,  an  element 
contains  no  other  objects  or  elements,  and 
is  not  multilevel. 

Security  Level:  In  the  context  of  military  security 

modeling,  this  is  the  fundamental  security 
attribute  of  all  entities  (subjects, 
objects,  and  elements)  within  a  computer 
system  or  network.  The  security  level 
(also  called  security  partition)  is 
comprised  of  a  sensitivity  level 
(Unclassified,  Confidential,  Secret,  Top 
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Secret)  end  e  (possibly  null)  set  of 
compartments  (NATO,  NUCLEAR,  etc.). 
Dissemination  controls  (such  as  NATO  ONLY, 
NOFORN,  or  NOCONTRACTOR)  may  be  handled  as 
additional  compartment  names.  The  security 
level  is  the  basis  on  which  all 
sub ject-to-ob ject  access  is  determined.  A 
classification  represents  the  security 
level  of  an  object  or  element,  while  a 
clearance  represents  the  entire  set  of 
security  levels  of  a  user.  A  user  will 
operate  at  a  "current  security  level" 
which  is  a  subset  of  the  user's  clearance. 

Current  Security  Level:  The  current  security  level  of  a 

subject  is  that  level  by  which  he  is 
currently  recognised.  A  user  may  possess  a 
clearance  to  a  specific  maximum  level,  but 
this  does  not  require  that  he  be 
recognized  at  this  maximum  level.  Instead, 
he  cay  choose  a  lower  level  (or  subset)  as 
his  current  security  level  for  processing 
purposes . 

Classification:  A  classification  is  a  designation  attached 

to  information  entities  (objects  and 
elements)  that  reflects  the  damage  that 
could  be  caused  by  unauthorized  disclosure 
of  that  information.  A  classification 
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includes  a  sensitivity  level  end 
compertment  set  to  specify  e  security 
level. 

Clearance:  A  cleerance  represents  the  degree  of  trust 

associated  with  a  subject  (user).  It  is 
expressed  in  the  sane  way  as 

classifications  are,  as  a  sensitivity 
level  and  a  compartment  aet.  In  a  secure 
LAN,  each  user  will  have  a  clearance,  and 
functions  performed  by  the  LAN  for  that 
user  may  check  (via  an  access  control 
matrix)  the  user's  clearance  and  the 
classification  of  objects  to  be  operated 
on . 

Access  Modes:  "Access"  means  the  ability  and  the  means 

necessary  to  store  or  retreivs  data,  to 
communicate  with  (i.e*,  provide  input  to 
or  receive  output  from),  or  otherwise  make 
use  of  any  resource  in  a  computer  system. 
"Access  Control"  is  a  strategy  for 
protecting  objects  and  elements  from 
unauthorised  access.  Distinct  operations 
are  recognised  by  the  protection  mechanism 


as  a  posi 

tible  op 

eration  on  an 

object 

.  For 

example , 

Read , 

Write,  and 

Append 

are 

possible 

access 

modes  to  a 

file, 

while 

Execute  is  an  additional  access  mode  to  a 
program. 
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Read  Access:  An  accost  Co  an  object  or  element  permitting 

only  observation  with  no  aodif ication,  in 
accordance  with  the  Siaple  Security 

Property  (the  subject  auat  have  a 

clearance  level  higher  than  or  equal  to 
the  classification  level  of  the  object  or 
eleaent ) . 

Append  Access:  A  write  operation  which  does  not  allow  a 

prior  read  of  the  object  or  eleaent  being 
written,  in  accordance  with  the  ‘-Security 
Property  (the  subject  auat  be  at  a  current 
security  level  lover  than  or  equal  to  that 
of  the  object  or  eleaent). 

Writ e  Access:  The  union  of  Read  Access  an  \  Append  Access, 

when  an  object  or  eleaent  oust  be  read 

prior  to  being  written  (i.e.,  aodif ica¬ 
tion),  in  accordance  with  both  the  Siaple 
Security  Property  and  the  ‘-Security 
Property. 

Execute  Access:  An  execute  access  requires  that  the 

desired  object  or  eleaent  be  read  by  the 
subject's  processing  equipaent,  in 
accordance  with  the  Siaple  Security 
Property . 

Delete  Access:  A  delete  access  is  a  destructive  vrite 

process.  Since  an  object  or  element  must 
normally  be  viewed  (read)  prior  to 
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deletion  (writing),  a  delete  access  must 
behave  in  accordance  with  both  the  Simple 
Security  Property  and  the  *-Secur ity 
Property  (as  in  the  Write  Access). 

Access  Control  Matrix:  A  list  or  matrix  of  subjects  which 

are  authorized  to  have  a  particular  access 
mode(s)  to  objects  or  elements  within  a 
computer  system  or  network. 

Rules  of  Operation:  Functions  that  may  be  applied  to  an 

entity.  Listed  below  is  a  core  set  of 
operations  which  need  to  be  incorporated, 
yet  additional  operations  may  be 
identified  for  particular  LAN  applica¬ 
tions  . 

get  read:  Request  read  access  to  an  object 
or  element. 

get  append:  Request  append  access  to  an 
object  or  element. 

get  execute:  Request  execute  access  to  an 
object  or  element. 

get  write:  Request  write  access  to  an 
object  or  element. 

release:  Release  accesses  currently 

possessed  (read,  write,  append, 
execute);  the  inverse  of  "get" 
access  . 
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permit:  Permit  another  subject  discre-  ■ 

t ionary  access  to  an  object  or  ; 

element.  I 

i 

rescind:  Remove  or  revoke  discretionary  ] 

access  privileges  (permits)  to  j 


an  object  or  element. 

create:  Create  a  new  entity  within  the 
LAN. 

delete:  Remove  an  existing  object  or 

element  from  the  system, 
change  security  level:  Allows  a  subject 
(user)  to  alter  its  current 
security  level. 

Simple  Security  Property:  A  fundamental  security  model 

rule  allowing  a  subject  read-access  to  an 
object  or  element  only  if  the  security 
classification  of  the  object  or  element  is 
the  same  or  less  than  the  current  security 
level  of  the  subject. 

♦-Security  Property:  A  fundamental  security  model  rule 


allowing  a  subject  write-access  to  an 


object  or  element  only  if  the  security 


classification  of  the  object  or  element  is 


the  same  or  higher  than  the  current 


security  level  of  the  subject. 


Non-Discretionary  Access  Controls:  Also  called  mandatory 


access  controls,,  the  aspect  of  DoD 
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3.  Appropriate  network  communication  protocols  exist 
to  ensure  secure  information  transmission  within  the 
network.  These  secure  communication  channels  protect 
classified  data  from  unauthorized  dissemination  while 
providing  distinct  separation  of  security  levels. 

4.  Physical  security  measures  to  protect  particular 
LAN  components  (i.e.,  hosts  and  terminals)  according  to 
DoD  regulations  are  assumed. 


Security  Assertions 

The  following  assertions  are  to  be  demonstrated  to 
hold  true  for  a  multilevel  secure  LAN: 

1.  Access  Control:  A  user  may  invoke  an  operation  on 
an  object  or  element  only  if  there  is  a  corresponding 
entry  in  the  access  control  matrix  which  allows  the 
subject  to  perform  the  requested  operation  on  the 
specified  object  or  element. 

2.  Clearance  Assignment:  Only  the  System  Security 
Officer  (SSO)  can  set  the  security  clearance  recorded  in 
the  access  control  matrix  for  any  user. 

3.  Entity  Labeling  Requirement:  Any  entity  within  the 
LAN  must  be  labeled  with  its  correct  security 
class  if ication . 

4.  Classification  Hierarchy:  The  classification  of  an 
object  is  always  at  least  as  high  as  the  maximum 
classification  of  the  objects  and/or  elements  it  contains. 
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5.  Class  if ication  Preservation:  Information  removed 
from  cr  copied  from  an  object  or  element  inherits  the 
classification  of  that  object  or  element.  Similarly, 
Information  inserted  into  an  object  or  element  must  net  be 
classified  at  a  level  above  that  object  or  element. 

6.  Claes  if ication  Downgrading:  No  entity  classifi¬ 
cation  label  can  be  downgraded  except  by  a  user  with  the 
role  of  downgrader. 

7.  Simple  Security  Property:  A  fundamental  security 
model  rule  allowing  a  subject  read-access  to  an  object  or 
element  only  if  the  security  classification  of  the  object 
or  element  is  the  same  or  less  than  the  security  clearance 
of  the  subject. 

8.  ^-Security  Property:  A  fundamental  security  model 
rule  allowing  a  subject  write-access  to  an  object  or 
element  only  if  the  security  classification  of  the  object 
or  element  is  the  same  or  higher  than  the  security 
clearance  of  the  subject. 


$ 
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Diacuasion  of  the  Model 

The  entities  for  the  model  represent  the  active 
sub4* at  a  (users)  and  passive  objects  (and  elements)  within 
the  Users  are  "created"  by  the  System  Secu;  ity 
Officer  assigning  some  form  of  unique  identifier  (such  as 
a  login  name,  password,  and/or  user  identification  code) 
to  the  user.  For  each  type  of  entity  that  users  may 
create,  an  operation  or  process  may  be  invoked  by  the  user 


S 
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to  "create"  the  new  entity,  providing  the  user  is 
authorized  to  invoke  the  particular  "create"  operation 
requested . 

Each  user  has  a  security  clearance  which  the  SSO  will 
incorporate  into  the  access  control  matrix.  A  finer 
constraint  on  the  user  during  actual  LAN  sessions  is 
imposed  by  the  notion  of  a  "current  security  level". 
Although  a  user  may  pos*»»a  a  very  high  security 
clearance,  each  LAN  operation  will  be  associated  with  a 
single  security  partition  or  subset  of  the  user's  maximum 
clearance.  This  aids  the  enforcement  of  the  ^-Security 
Property . 

The  incorporation  of  multilevel  objects  is  an 
extension  of  the  Bell-LaPadula  security  model's 
single-level  objects,  and  is  similar  to  the  definition  of 
multilevel  objects  proposed  for  Military  Message  Systems 
(LAND82),  as  discussed  earlier  in  Chapter  3.  For  example, 
a  multilevel  object  may  be  a  large  document  classified  as 
Top  Secret.  The  document  is  comprised  of  individual 
chapters,  sections,  and  paragraphs,  each  of  which  could  be 
labeled  with  a  specific  security  classification.  If  each 
paragraph  were  labeled  with  its  security  classification 
and  treated  as  an  element,  the  entire  Top  Secret  document 
(object)  would  be  a  collection  of  many  elements  at  various 
classification  levels.  The  model  requires,  however,  that 
the  security  classification  of  an  object  be  at  least  as 
high  as  that  of  the  most  highly  classified  element  (or 


object)  contained  within  it.  As  a  further  example,  the 
abstract  (element)  of  a  technical  paper  (object)  could  be 
unclassified  while  the  remainder  of  the  paper  is 
classified  Secret. 

A  user  may  refer  to  another  entity  within  the  system 
by  either  direct  (explicit)  reference  or  indirect 
(implicit)  reference.  Entities  may  have  identifiers  that 
allow  them  to  be  named  directly,  such  as  a  command  to  read 
a  particular  data  file  name  (identifier).  Alternately,  a 
process  acting  on  behalf  of  a  user  may  refer  to  an  entity, 
constituting  an  indirect  reference.  From  the  user's 
perspective,  anything  the  user  can  create,  display,  or 
modify  must  be  (or  be  part  of)  an  entity.  Assertion  5 
stipulates  that  a  part  of  an  object  that  is  removed  or 
modified  inherits  the  classification  of  the  whole  object. 

When  a  user  invokes  an  operation  on  an  entity,  the 
user's  current  security  level,  user  role  (such  as 
"downgrader ”  ,  if  appropriate),  the  appropriate  device  and 
entity  classifications,  and  the  access  control  matrix 
determine  whether  he  can  invoke  the  operation.  The 
implementation  of  the  access  control  matrix  may  be 
centralized  at  a  single  "security  node"  in  the  LAN,  or 
each  host  may  perform  its  own  access  control.  The 
particular  implementation  should  remain  transparent  to  the 
model . 

It  is  important  to  pay  particular  attention  to  the 
third  security  assumption,  which  assumes  secure 


communication  channels  exist  within  the  LAN.  Although  the 
implementation  of  these  secure  communication  channels  is 
transparent  to  this  security  model,  these  secure  channels 
are  crucial  and  fundamental  to  this  or  any  other  network 
security  model.  This  particular  design  issue  will  be 
further  discussed  in  Chapter  6. 

Operations  are  defined  in  the  model  which  correspond 
to  the  user's  view  of  the  LAN.  Additional  model  operations 
may  need  to  be  defined  for  a  particular  LAN  application, 
ani  this  model  is  flexible  in  that  respect,  as  long  as  the 
operations  are  included  in  the  access  control  matrix.  From 
the  user's  perspective,  the  LAN  offers  functions  and 
services  that  may  be  invoked  by  typing  single  function 
keys  or  strings  of  characters.  In  the  actual  LAN 
implementation,  processes  are  constrained  to  invoke  only 
operations  that  preserve  the  truth  of  the  model's 
assertions . 


Mode? 


In  order  to  demonstrate  how  the  prototype  LAN 


security  model  may  be  applied  to  actual  local  area 
computer  networks,  two  distinct  LAN  configurations  will  be 
discussed.  The  first  configuration  assumes  a  single 
security  enforcement  node  within  the  LAN  which  is  wholly 
responsible  for  enforcing  the  model.  The  second 
configuration  illustrates  the  distribution  of  the  security 
enforcement  responsibility  to  each  LAN  node. 
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security  node  arbitrates  all  sub ject/ob ject  accesses 
vithin  the  entire  LAN,  so  the  network  topology  essentially 
becomes  a  "star"  topology,  as  illustrated  in  Figure  8. 
This  LAN  is  similar  to  a  single  computer  system  from  a 
security  perspective,  since  there  is  a  single  focal  point 
for  all  security  transactions.  The  security  node  may  be 
thought  of  as  a  "reference  monitor"  for  the  LAN,  and  may 
contan  a  security  kernel  to  implement  the  reference 
monitor.  The  security  node  must  also  contain  a  master 

library  and  an  access  control  matrix  for  all  LAN  system 
entitles  (users,  files,  and  devices). 

The  SSO  is  responsible  for  the  operation  of  the 

security  node  and  for  maintaining  the  access  control 
matrix.  All  network  users,  their  respective  security 
clearances,  and  their  access  rights  to  the  various  LAN 
entities  will  be  recorded  in  the  access  control  matrix  by 

the  SSO.  For  example,  if  user  "Al"  is  authorized  access 

only  to  information  contained  on  host  "A",  then  the 
security  node  (via  its  access  control  matrix)  will  ensure 
that  user  Al  will  not  be  able  to  access  any  entities 
resident  on  any  host  except  host  "A". 


TP  T  P  T 


ACM  ■  Access  Control  Matrix 
T  -  Terminal 
P  -  Printer 
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By  defining  the  multilevel  object  entity  within  the 
model,  a  hierarchy  of  object  entities  may  be  created 
(similar  to  the  tree  structure  of  files  and  directories  in 
the  UNIX  operating  system  (RUSH83 ) )  -  For  example,  the 
network  in  Figure  8  could  be  modeled  as  four  primary 
multilevel  objects  corresponding  to  the  four  host 
computers.  Each  of  these  primary  objects  would  contain 
other  objects,  such  as  data  files  and  devices.  The 

hierarchical  structure  may  therefore  be  decomposed  down  to 
its  individual,  single  security  level  elements.  Note  that 
this  hierarchy  may  also  account  for  the  security 
processing  mode  (Controlled,  System  High,  Dedicated,  or 
Multilevel)  of  each  host. 

This  LAN  configuration  has  the  advantage  of 

centralising  the  accountability  for  secur ity-related 
transactions  described  in  the  LAN  security  model.  Some 
applications  may  necessitate  such  a  single  security 
control  point  for  accountability  purposes,  such  as  the 
generation  of  audit  trails  to  keep  a  log  of  all  security 
transactions  within  the  system.  One  potential  disadvantage 
to  this  configuration  is  the  added  "overhead"  since  each 
network  transmission  must  be  routed  first  through  the 
security  node  for  processing  and  access  control 
enforcement.  This  added  overhead  may  degrade  the 

throughput  of  the  network  and  adversely  affect  other 

performance  parameters  such  as  response  time.  Another 


I 


potential  disadvantage  is  that  the  access  control  matrix 
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muse  be  cognisant  of  all  eneities  within  the  entire 
network,  including  master  libraries  of  all  objects  and 
elements.  In  a  large,  complex  LAN  with  many  hosts,  the 
access  control  matrix  could  be  quite  large  and  difficult 
to  manage. 


As  an  alternate  example,  consider  the  LAN  illustrated 
in  Figure  9.  Instead  of  a  single  security  node,  each  host 


subscriber  to  the  LAN  performs  its  own  security 
arbitration  and  access  controls.  In  this  esse,  the  LAN 


security  model  could  be  applied  to  each  individual  host 
within  the  LAN. 
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Tha  hierarchy  of  entities  may  be  created,  as 
discussed  in  the  single  security  node  example.  However, 
now  each  LAN  node  is  responsible  for  access  control 
arbitration  of  all  entities  it  contains.  Each  host  may 
have  its  own  SSO  to  assign  user  clearances  and  maintain 
the  access  control  matrix.  Since  each  node  requires  its 
own  access  control  matrix  and  SSO,  the  LAN  security  model 
may  be  applied  to  each  node  in  the  LAN.  For  example,  if 
user  "D1N  resident  on  host  "D"  requests  to  read  a  data 
file  named  E-FILE  on  host  "E",  the  access  control  matrix 
in  host  "D"  may  first  check  to  see  if  user  "Dl"  is 
authorised  access  to  host  ME"  (an  object).  Note  that  host 
D's  access  control  matrix  requires  no  knowledge  of  the 
data  file  "E-FILE",  or  any  of  the  objects  contained  within 
any  other  host.  Once  user  "Dl's"  request  arrives  at-1  host 
E,  host  E's  access  control  matrix  will  determine  whether 
user  Dl  is  authorised  to  read  the  data  file  "E-FILE”. 

A  primary  advautage  of  this  LAN  configuration  is  the 
capability  of  each  LAN  subscriber  to  control  its  own 
resources.  This  may  be  particularly  appropriate  when  only 
minimal  and  infrequent  transactions  occur  between  LAN 
hosts,  yet  the  capability  to  communicate  is  still 
required.  A  potential  disadvantage  of  this  configuration 
is  the  large  number  of  separate  access  control  matrices 

* 

and  SSO's  (although  perhaps  a  single  SSO  could  service  all 
LAN  hosts).  Finally,  the  LAN  designer  must  be  aware  that 
individual  analysis  and  security  modeling  of  each  LAN  node 
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nay  be  naive  to  the  aggregate  security  structure  of  the 
entire  LAM. 


guaatry 

Computer  security  models  have  served  as  the 
fundamental  description  of  how  a  computer  system  enforces 
security  policy.  This  chapter  has  presented  a  prototype 
LAN  security  model  which  specifies  what  must  be  achieved 
to  ensure  the  multilevel  secure  protection  and  separation 
of  classified  data  in  a  LAM.  The  model  closely  parallels 
the  Bell-LaPadula  security  model,  which  has  been  applied 
to  a  variety  of  DoD  computer  systems.  The  LAN  security 
model  presented  incorporates  th*s  concept  of  multilevel 
objects  and  relies  on  the  assumption  of  secure 
communication  channels  within  the  LAM.  The  next  chapter 
will  address  the  relationship  between  the  LAN  security 
model  and  certain  other  design  issues  associated  with 
developing  a  "security  architecture"  for  a  LAN. 
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VI .  SECURE  LAN  COMMUNICATION  CHANNELS 
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Most  security  models  to  date  have  narrowly  focussed 
upon  two  fundamental  concepts.  First,  they  have 
concentrated  solely  upon  a  single,  stand-alone  computer 
system  in  which  a  single,  centralized  operating  system  is 
assumed  to  .mpass  a  security  kernel  (or  other  similar 
mechanism)  to  enforce  a  particular  security  policy. 
Secondly,  these  models  strictly  address  security  policy, 
regai.  iless  of  implementation  considerations. 

The  term  ‘'model"  implies  that  a  security  model  should 
be  generic  enough  to  apply  to  a  variety  of  applications, 
which  may  not  be  feasible  to  accomplish  for  the  entire 
class  of  potential  LAN  configurations.  While  the  basic 
security  policy  concepts  intrinsic  to  the  model  still 
ap'iy  to  the  LAN,  particular  LAN  components  and  features 
(such  as  bridges,  gateways,  secure  communication  channels, 
and  network  protocols)  do  not  fit  neatly  into  the  model. 
This  necessitates  the  integration  of  the  LAN  security 
model  with  some  of  the  application  details  of  a  LAN 
configuration  to  properly  describe  the  security-relevant 
behav-i.  of  a  LAN,  resulting  in  a  security  architecture. 

The  implications  of  applying  the  prototype  LAN 
security  model  presented  in  Chapter  5  to  a  LAN  (or  even  a 
generalised  computer  network)  leaves  some  security  design 
issues  unaddres'  *v  .  These  topics  involve  the  cons iaerat ion 
of  various  implementation  constraints  introduced  in 


6-1 


I 


V^5 


O 


computer  networks.  In  addition  to  the  previously  discussed 
"conventional"  physical,  electromagnetic  emanation,  and 
personnel  security  controls,  the  complex  topic  of  computer 
network  security  involves  communication  security,  network 
protocols,  and  user  authentication  techniques.  For 
example,  the  prototype  LAN  security  model  explicitly 
assumes  the  existence  of  secure  communication  channels 
within  the  LAN. 

User  authentication  refers  to  the  problem  of 
positively  identifying  the  user(s)  of  a  communications 
media,  especially  when  the  two  ends  of  a  communications 
channel  are  remote  from  each  other.  Research  on  user 
authentication  techniques  and  schemes  involves 
communications  security,  data  encryption,  digital 
signatures,  and  protocol  specification  techniques. 
Although  user  authentication  is  a  necessary  component  of'  a 
secure  system,  it  is  an  implementation  detail  that  will  be 
will  be  assumed  for  the  purposes  of  this  thesis. 

The  design  issues  concerning  communications  security 
and  network  protocols  will  be  discussed  in  this  chapter, 
since  the  prototype  LAN  security  model  presented  in 
Chapter  5  depends  upon  the  establishment  of  secure 
communication  channels  within  the  LAN. 


& 


Communications  Security 

Even  if  a  network  is  comprised  solely  of  proven, 
secure  computer  systems,  the  security  mechanisms  in  the 
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packet  broadcast  network,  the  actual  communication  media 
may  be  quite  vulnerable  to  wiretapping  or  other 
subversion,  especially  in  the  case  of  a  long-haul  computer 
network  utilizing  satellite  channels.  Landwehr  notes  that 
most  formal  security  models  do  not  address  threats  such  as 
wiretapping  (LAND81). 

Communication  security  must  be  a  prime  consideration 
in  a  multilevel  LAN  because  1)  data  of  many  different 
classification  levels  may  appear  on  the  communication 
media,  and  2)  even  if  the  LAN  media  is  physically  secure, 
the  LAN  quite  likely  will  interface  with  another  network 
(through  a  gateway  node)  which  may  or  may  not  contain  a 
physically  secure  communications  media.  Both  "user  ends" 
of  a  network  connection  are  assumed  to  terminate  in  secure 
areas,  but  the  remainder  of  the  connection  may  be  subject 
to  physical  attack  such  as  active  or  passive  wiretapping. 

The  best  available  technology  for  providing 
communications  security  appears  to  be  data  encryption 
(TANE81,  KU081,  MEYE82).  Data  encryption  may  be  at  the 
end-to-end  level,  at  the  data  link  level,  or  potentially 
at  any  protocol  layer  (or  combinations  of  layers)  in  the 
ISO  reference  model  discussed  in  Chapter  1.  Some  form  of 
end-to-end  encryption  appears  desirable  because,  depending 


on  the  key  management  scheme,  user  authentication  may  be 
enhanced  and  additional  separation  of  "logical  channels" 
within  the  network  may  be  obtained. 

If  data  encryption  is  performed  at  a  high  protocol 
layer  (above  layer  4),  it  is  then  "transparent"  to  the 
lower  protocol  layers.  The  lower  protocol  layers  are 
responsible  only  for  routing  the  data  traffic  between  the 
source  and  destination  network  nodes,  so  data  encryption 
performed  at  a  higher  layer  doesn't  adversely  impact  the 
lower  protocol  layers.  However,  the  packet  addressing 
information  that  is  appended  by  the  lower  protocol  layers 
is  plainly  visible  to  an  intruder,  and  may  provide  useful 
information  in  the  form  of  traffic  analysis. 

Alternatively,  if  the  packets  are  encrypted  at  a  low 
protocol  layer,  then  even  the  addressing  information  is 
encrypted  on  the  LAN  medium,  hampering  a  potential 
intruder's  traffic  analysis  capability.  In  a  broadcast 
LAN,  however,  each  node  must  then  decipher  all  data 
packets  to  determine  the  addressing  information,  which  may 
constrain  the  throughput  of  the  network. 

..  Therefore,  depending  on  the  particular  LAN  evironment 
and  threat  assessment,  a  combination  of  high-level  and 
low-level  encryption  may  be  appropriate.  Note  that  the 
encryption  algorithm  itself  may  impose  performance 
limitations  on  the  LAN.  If  a  particular  encryption 
algorithm  depends  on  past  data  values  to  decipher  current 
data  values,  a  single  lost  data  packet  may  necessitate  the 
retransmission  of  the  entire  message. 
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Network  Protocols 

The  specification  of  the  various  network  protocol 
layers  (described  in  Chapter  1)  affects  the  security 
behavior  of  a  LAN.  Computer  communication  protocols  are 
very  important  components  of  computer  networks.  They  are  a 
let  of  ruies  which  govern  the  interaction  among  network 
components  and  an  orderly  transfer  of  data  among  them.  The 
correct  specification  and  operation  of  the  protocols  is 
essential  for  the  successful  operation  of  a  computer 
network  communication  system  (SUNS79,  SIDH82c). 

One  example  was  given  in  Chapter  4  of  a  simple 
modification  of  the  lower  two  protocol  layers  of  a  CSMA/CD 
data  packet  by  adding  a  packet  header  to  indicate  the 
security  level  of  the  data  contained  in  the  packet. 
Similarly,  the  Department  of  Defense  Standard  Internet 
Protocol  (IP)  header  incorporates  a  security  field 
(DARP81b).  The  DoD  Standard  Transport  Control  Protocol 
(TCP)  makes  use  of  the  IP  type  of  service  field  and 
security  option  to  provide  precedence  and  security  on  a 
per  connection  (session)  bssis  to  TCP  users  (DARP81a).  Not 
all  TCP  modules  will  necessarily  function  in  a  multilevel 
secure  environment;  some  may  be  limited  to  unclassified 
use  only,  and  others  may  operate  at  only  one  security 
level  and  compartment.  Consequently,  some  TCP 
implementations  and  services  to  users  may  be  limited  to  a 
subset  of  the  multilevel  secure  case. 
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TCP  modules  which  operate  in  a  multilevel  secure 
environment  must  properly  mark  outgoing  segments  with  the 
security,  compartment,  and  precedence.  Such  TCP  modules 
must  also  provide  to  their  users  or  higher  level  protocols 
(such  as  Telnet  or  THP)  and  interface  to  allow  them  to 
specify  the  desired  security  level,  compartment,  and 
precedence  of  connections. 

The  IP  packet  header  format's  security  option  field 
provides  a  way  for  hosts  to  send  security, 
compartmentation,  handling  restrictions,  and  transmission 
control  code  (TCC,  for  closed  user  groups)  parameters.  The 
security  field  (S  Field)  of  the  header  specifies  one  of 
sixteen  security  levels  (i.e..  Unclassified,  Confidential, 
Secret,  Top  Secret),  eight  of  which  are  reserved  for 
future  use.  The  compartment  field  (C  Field)  contains  all 
zeros  if  the  information  transmitted  is  not  compar tmented . 
Other  values  for  the  compartment  field  may  be  obtained 
from  the  Defense  Intelligence  Agency  (DIA).  The  handling 
restrictions  field  (H  Field)  may  contain  alphanumeric 
digraphs  to  represent  the  values  for  the  control  and 
release  markings  defined  in  the  Defense  Intelligence 
Agency  Manual  DIAM  65-19,  "Standard  Security  Markings". 
Finally,  the  transmission  control  code  field  (TCC  Field) 
provides  a  means  to  segregate  traffic  and  define 
controlled  communities  of  interest  among  network 


subscribers 
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Network  protocols  such  as  TCP-IP  may  enhance  the 
security  aspects  o£  a  LAN,  but  all  the  protocol  header 
information  may  be  rendered  useless  if  the  actual  data 
within  a  packet  is  transmitted  as  plain  text.  Therefore,  a 
combination  of  data  encryption  and  network  protocols  with 
security  features  may  be  a  feasible  approach  to  protecting 
sensitive  data  via  secure  communication  channels. 

Summary 

Due  to  the  distributed  nature  of  local  area  computer 
networks  and  the  lack  of  a  network  operating  system,  no 
centralized  focal  point  may  exist  in  a  LAN  to  serve  as  a 
security  enforcement  mechanism.  The  complex  topic  of 
computer  network  security  involves  communcations  security, 
data  encryption  techniques,  network  protocols,  and  key 
distribution  schemes.  These  security  aspects,  which  may 
differ  from  LAN  to  LAN  depending  on  configuration  and 
application,  need  to  be  integrated  with  a  security  policy 
model  such  as  the  prototype  LAN  security  model  to  form  a 
security  architecture. 


Processing  of  various  levels  of  classified 
information  in  a  local  area  network  of  computers  requires 
strict  attention  to  both  physical  and  electronic  security 
protection  measures  to  prevent  unauthorised  access  to 
sensitive  information.  Due  to  their  distributed  nature, 
LAN's  involve  several  security  issues  that  are  distinct 
from  issues  concerning  just  multilevel  secure  computer 
eystems.  In  particular,  the  establishment  of  secure 
communication  channels  between  LAN  subscribers  and  the 
associated  separation  and  protection  of  data  classified  at 
different  security  levels  must  be  addressed.  Some 
combination  of  the  techniques  presented  in  this  paper 
(data  encryption,  physical  security,  and  trusted  software) 
must  be  integrated  with  a  security  policy  model  (such  as 
the  prototype  LAN  security  model)  into  a  cohesive  design 
of  a  "security  architecture"  that  will  provide  full 
multilevel  protection  of  the  LAN  resources. 

Conclus ions 

Past  computer  security  models  have  focussed  upon 
modeling  security  in  a  single  computer  system  (BELL73a, 
BELL73b,  BELL74,  LAND81).  The  state  of  the  art  in  data 
communications  technology  is  aimed  towards  complex 
networks  of  computer  systems,  interconnected  by  a  variety 
of  media  and  accessible  to  a  variety  of  users.  Modeling 
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security  in  LANs  is  not  as  straightforward  as  in  single 
computer  systems.  Since  different  LAN  applications  may 
contain  a  completely  different  structure  of  security 
enforcement  mechanisms,  a  single  "LAN  security  model"  may 
not  be  an  appropriate  (or  even  useful)  entity  if  used  for 
all  LANs.  Therefore,  computer  security  models  developed 
for  single  computer  systems  need  to  be  expanded  to 
incorporate  the  distributed  nature  of  present  and  future 
computer  networks,  both  local  area  netvorks  and  long-haul 
networks . 

This  thesis  has  presented  both  a  prototype  LAN 
security  model  and  a  discussion  of  application-specific 
secure  LAN  design  issues.  These  LAN  implementation 
considerations  must  be  integrated  with  a  security  policy 
model  to  produce  a  "security  architecture".  There  are  two 
primary  implications  for  modeling  security  in  local  area 
computer  networks: 

1)  Due  to  the  distributed  nature  of  the  network 
itself,  certain  aspects  of  a  security  model 
may  similarly  be  distributed  to  accurately 
model  the  various  security  enforcement 
mechanisms  in  a  computer  network. 

2)  Modeling  of  security  iu  computer  netvorks  may 

involve  or  depend  upon  implementation 
considerations,  such  as: 
a)  How  and  where  data  encryption  and 
decryption  are  to  be  performed,  and  the 


7-2 


JIW/  TJt.’X  U’*  'Jk-  ">*J»  m-V  »  *  > 


'vk'V.-  'i  * >  ’>  '.V*/’  >  '.. 


consequenses  of  the  associated 
cryptographic  key  distribution  and 
management  system 

b)  Physical  topology  of  the  network  and  its 
associated  interface  mechanisms 

c)  User  identif ication/autbent ication  and 
data  access  authorisation  schemes 

d)  Formal  specification  of  network 

protocols  to  establish  secure  commun¬ 

ication  channels 

The  necessity  of  a  comprehensive  security 

architecture  for  a  particular  LAN  increases  as  the 
complexity  of  the  secure  systems  escalate.  As  computer 
technology  transitions  from  single,  stand-alone  computer 

systems  to  complex  networks  of  many  computers  and 
peripherals,  the  rigorous  enforcement  of  security  policies 
demands  the  existence  of  and  adherence  to  a  model  of 
security  policy  as  well  as  application-specific  security 
considerations  in  a  local  area  computer  network. 


Recommendations  for  Further  Study 
Many  of  the  issues  raised  and  implementation 

considerations  discussed  in  this  thesis  are  still  quite 
theoretical  in  nature,  and  great  potential  exists  for 
further  study.  Categoric,  that  require  further  research 
include  user  identification  and  user  authentication 

schemes,  the  analysis  of  mandatory  versus  discretionary 
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access  controls,  and  the  generation  of  audit  trails  within 
a  LAN.  In  particular,  the  following  would  prove  to  be 
excellent  and  relevant  research  topics  that  need  to  be 
addressed  in  the  field  of  computer  network  security: 

1.  The  distribution  and  management  of  encryption  and 
decryption  keys  will  certainly  add  "overhead"  to  any 
computer  network's  information  processing  capability.  An 
analysis  of  the  extent  of  this  overhead  associated 
strictly  with  security  enforcement  is  necessary  to 
quantify  the  security-specific  throughput  constraints 
imposed  on  a  computer  network. 

2.  Development  of  a  LAN  security  architecture, 
tailored  to  a  specific  LAN  application,  including  both  a 
security  policy  model  such  as  the  prototype  LAN  security 
model  and  implementation  constraints. 

3.  The  CR-200  Data  Encryption  Unit,  described  in 
Appendix  A,  could  form  the  nucleus  of  a  prototype  "Trusted 
Interface  Unit",  perhaps  implementable  on  the  AFIT  Digital 
Engineering  Laboratory's  LSI-11  computer  network. 

4.  The  mathematical  formalization  of  the  prototype 
LAN  security  model,  perhaps  tailored  to  a  specific  LAN 
application. 

Summary 

Security  has  been  an  overlooked  issue  in  the  design, 
analysis,  and  implementation  of  many  computer  systems  and 
networks,  particularly  in  the  private  corporate  sector.  In 
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fact,  the  U.S.  Department 

Publication  500-96,  "The  Selection  of  Local  Area  Networks" 
(ROSE82)  devotes  only  a  single  paragraph  to  security  and 
privacy,  only  to  mention  that  "Security  considerations 
include  security,  access  authorisation,  end  encryption.-' 
The  Department  of  Defense  and  the  intelligence  communities 
have  been  'he  driving  force  behind  provably  secure 

computer  systems  and  networks,  because  national  security 

is  a  primary  objective. 

Security  and  privacy  issues  need  to  be  addressed  at 
the  very  earliest  point  in  the  definition  of  user 
requirements  in  the  baselining  of  all  future  computer 

systems  and  networks.  Otherwise,  the  growing  computer 
literacy  in  our  highly  technological  society  may  exploit 
the  drastic  weaknesses  in  the  privacy  and  security  of 
computer  systems  and  networks. 
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APPENDIX  A 


CR-2QQ  DATA  SECURITY  UNIT 


The  AFIT  Electrical  Engineering  Department  has  one 
CR-200  Data  Security  Unit,  which  is  manufactured  by 
Collins  Telecommunications,  a  division  of  Rockwell 
International.  The  CR-200  is  a  stand-alone  data 
encryption/decryption  device  for  use  in  new  or  existing 
data  communications  systems  to  protect  data  in  transit. 
This  unit  utilizes  a  single  MOS/LSI  implementation  of  the 
National  Bureau  of  Standards'  Data  Encryption  Standard 
(DES)  algorithm  as  specified  in  Federal  Information 
Processing  Standards  Publication  (FIPS  Pub)  46.  The  DES 
initialisation  and  modes  of  operation  are  as  specified  in 
Federal  Standard  1026.  The  cipher  feedback  mode  is  used 
for  data  encryption  and  decryption  while  the  block  mode  is 
used  for  encryption  and  decryption  of  key  variables. 

The  data  encryption  process  occurs  when  the  CR-200 
receives  clear  text  from  the  data  terminal  equipment  (DTE) 
and  outputs  this  data  as  ciphered  text  to  the  data 
communications  equipment  (DCE).  In  the  decryption  mode, 
the  ciphered  text  from  the  DCE  is  decrypted  and  output  to 
the  DTE  as  clear  text  (see  Figure  10).  The  CR-200  contains 
its  own  power  supply,  an  input/output  circuit  card,  a 
CPU/DES  circuit  card,  and  a  circuit  card  that  contains  the 
keypad  and  front  panel  lamps. 
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Figure  10  -  CR-200  Single  Iiink  Encryption  Configuration 

( C0LL7 9 ) 


CR-2_Q0  Operating  Features 

The  CR-200  Data  Security  Unit  can  be  applied  to  data 
networks  operating  full  or  half  duplex,  asynchronously  or 
synchronously  at  data  rates  up  to  9600  bits  per  second. 
Tvo  major  categories  of  protocols  are  supported  -  the 
Asynchronous  Start-Stop  and  character-oriented  synchronous 
(BISYNC  and  similar  protocols).  Extensive  self-test 
capability  is  incorporated  into  the  CR-200  to  simplify 
system  maintenance  and  fault  isolation. 

Internal  storage  for  a  total  of  five  key  variables  is 
included.  A  battery  backup  for  the  key  variable  memory 
assures  that  the  keys  will  not  be  lost  during  a  power 
failure  or  when  the  unit  is  powered  down.  A  special 
interlock  destroys  all  key  variables  if  the  front  cover  is 
opened.  Key  variables  may  be  loaded  from  the  front  panel 
key  pad  of  the  CR-200  or  down-line  loaded  by  means  of 
"rekey  messages"  that  are  recognized  and  intercepted  by 
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the  uait.  Dual  lock  protection  is  provided  for  front  panel 
entry . 


Many  configurations  of  data  communication  networks 
may  utilise  the  CR-200 .  The  least  complex  application  is 
the  encryption  of  a  single  host  processor-to-data  terminal 
link,  referred  to  as  the  single-link  encryption 
configuration,  and  is  illustrated  in  Figure  10.  One  unit 
is  inserted  between  the  host  and  its  associated  modem,  and 
a  seocnd  unit  is  inserted  between  the  data  terminal  and 
its  associated  modem. 

Another  application  simply  extends  the  point-to-point 
case  to  include  multiple  terminals,  all  being  serviced  by 
a  single  host  computer.  This  is  referred  to  as  the 
multidrop  encryption  configuration  and  involves  the 
encryption  of  a  host  processor-to-multidrop  terminal  link 
(see  Figure  11) . 

A  third  potential  application  of  the  CR-200  is  in 
message-switched  systems.  The  CR-200  is  connected  between 
each  data  terminal  and  the  switched  data  network  (see 
Figure  12).  Since  message-switched  applications  often 
utilise  certain  characters  (which  must  not  appear  in  the 
normal  data  traffic)  to  control  the  switch  network,  the 
CR-200  may  be  optioned  (specified  at  time  of  order  from 
Collins)  to  remove  any  such  characters  from  the  cipher 
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Figure  11  -  CR-200  Multidrop  Encryption  Configuration 

( C0LL7  9 ) 


Figure  12  -  CR-200  Message  Switched  Netvork  Configuration 

(COLL79) 
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Since  the  DES  algorithm  it  public  information,  the 
entire  security  of  DES-based  encryptors  resides  in  keeping 
the  key  variables  secret  (the  key  variable  is  a  56-bit 
number  that  controls  the  DES  encryption/decryption 
operation).  Th^re  are  tvo  basic  threats  to  keeping  the 
key-variable  secret: 

1)  Unauthorised  access  to  the  key-variable 
generation,  distribution,  or  storage  process,  and 

2)  Analysis  of  sufficient  encrypted  data  to  determine 
the  key  variable. 

The  strength  of  the  DES  algorithm  makes  the  second  threat 
a  very  expensive  and  time-consuming  process  involving 
trial  and  error  of  over  1016  key  variables.  By  changing 
the  key  variable  periodically,  this  process  can  be  made 
prohibitively  expensive  or  time  consuming.  A  process 
inexpensive  enough  mould  take  so  long  that  the  information 
encrypted  in  the  particular  key  variable  is  no  longer 
valuable  by  che  time  the  key  variable  is  determined. 
Hovever,  changing  the  key  variable  often  increases  the 
first  threat  by  increasing  the  number  of  key  generation, 
distribution,  and  storage  processes  mhich  require 
protection.  To  ease  this  problem,  the  CR-200  employs  a 
master / secondary  key  arrangement. 


The  master  key  (also  called  the  key  encrypting  key 
"KEK" )  is  used  to  encrypt  secondary  keys  and  becomes  the 
only  key  variable  that  must  be  distributed  and  stored  in  a 
secure  manner.  By  limiting  its  use  to  a  relatively 
infrequent  encryption  of  secondary  keys,  which  are 
themselves  pseudorandom  numbers,  the  threat  of  determining 


the  master  key  by  analysis  is  all  but  eliminated.  Since 
the  analysis  threat  is  low,  the  master  key  life  is  long 
(several  years,  for  example)  and  there  are  few  generation 
and  distribution  processes  to  protect. 

The  secondary  key  (also  called  the  data  encrypting 
key  "BEK")  is  used  to  encrypt  the  actual  data  and  is 
changed  more  frequently  than  the  master  key  (daily, 
weekly,  or  monthly,  for  example).  If  it  is  encrypted 
before  distribution  and  storage,  these  processes  need  not 
be  secure.  For  example,  the  encrypted  secondary  keys  could 
be  distributed  by  telephone  or  mail  without  regard  to  who 
may  have  access  to  them  during  distribution.  As  long  as 
the  master  key  is  unavailable  to  unauthorised  persons,  the 
encrypted  secondary  keys  are  secure. 

The  CR-200  has  the  capability  to  store  and  use  five 
keys.  A  single  master  key,  which  may  be  entered  only 
through  the  CR-200'e  front  panel  key  pad,  is  used  only  to 
encipher  new  secondary  keys.  Four  secondary  keys,  used  to 
encrypt  data  traffic,  may  be  stored  in  the  unit,  ail  of 
which  may  be  down-line  loaded  through  the  network  using  a 
"rekey  message". 


A  normal  tcanarlo  of  operation  includes  each  CR-200 
crypto  unit  in  the  data  network  having  a  unique  master 
key.  Bach  secondary  key  would  be  related  to  a  mesaage  or 
group  of  messages  and  would  normally  be  loaded  through  the 
network. 

One  use  for  the  multiple  secondary  key  storage  is 
with  multidrop  network  links.  The  units  associated  with 
the  data  terminals  may  use  different  secondary  keys,  and 
the  unit  associated  with  the  host  may  store  up  to  four  of 
these  secondary  keys.  As  the  host  polls  the  different  data 
terminals,  it  is  not  necessary  to  reload  any  secondary 
keys.  Only  a  short  command  to  change  keys  neoda  to  be  sunt 
to  the  encryptor  associated  with  the  host. 

Remote  loading  of  secondary  key  variables  (down-line 
loading)  is  accomplished  by  passing  special  "rekey" 
messages  to  the  unit.  These  messages  may  originate  from  a 
data  terminal  keyboard  or  a  processor  that  is  part  of  the 
data  network. 


One  interesting  option  available  on  the  CR-200  is  the 
capability  to  establish  a  "session  key".  The  session  key 
is  a  key  variable  that  is  generated  by  the  transmitting 
unit,  automatically  loaded  down-line  to  the  receiving 


unit,  and  used  for  a  single  communication  session.  Once 
the  interactive  session  has  terminated,  the  key  expires 


and  any  subsequent  communication  requires  a  nav  session 
key.  This  session  kay  mode  of  operation  is  an  option 
enabled  by  a  hardware  strap  within  the  CR-200  unit.  The 
aassion  key  is  generated  by  a  pseudorandom  generator 
within  the  unit  and  is  encrypted  in  the  eecondary  key 
bafore  being  down-line  loaded.  When  the  seesion  key  option 
ia  enabled,  the  only  use  of  the  secondary  key  is  to 
encrypt  the  session  key.  Thus,  the  useful  life  of  a 
secondary  key  ie  greatly  increased  and  the  key 
distribution  requirements  are  significantly  reduced.  The 
session  key  option  is  available  only  with  asynchronous 
protocol  units. 


The  CR-200  Data  Security  Unit  is  intended  primarily 
for  encrypting  data  links  between  a  host  computer  and  its 
associated  terminal(s).  Such  data  links  are  usually 
connected  to  actual  hardware  I/O  porta  on  the  host 
computer,  so  terminal  addressing  from  the  host  is  not 
included  in  the  data  to  be  transmitted.  Rather,  the 
terminal  addressing  is  accomplished  by  the  host  computer 
selecting  the  appropriate  input/output  port  corresponding 
to  the  desired  terminal. 

This  poses  a  problem  for  using  the  C8-200  in  a  local 
area  computer  network  environment  where  there  is  no 
central  host  computer  to  manage  the  node-to-node 


addressing  protocol.  Since  the  CR-200  basically  snerypta  a 
streaa  of  raw  data  for  transmis a  ion ,  some  naans  for  adding 
appropriate  header  messages  and  packetiaing  the  data  into 
a  standard  format  such  as  the  X.25  standard  packet 
formats.  The  actual  data  intended  for  transmission  in  a 
local  area  network  must  ha  properly  packaged  into 
individual  packets,  each  of  which  must  contain  network 
control  paraaaters  such  as  destination  and  source 
addressing  information  for  connection  management. 
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